Man-on-the-side attack

From Wikipedia, the free encyclopedia
Jump to navigation Jump to search

A man-on-the-side attack is a form of active attack in computer security similar to a man-in-the-middle attack. Instead of completely controlling a network node as in a man-in-the-middle attack, the attacker only has regular access to the communication channel, which allows him to read the traffic and insert new messages, but not to modify or delete messages sent by other participants. The attacker relies on a timing advantage to make sure that the response he sends to the request of a victim arrives before the legitimate response.

In real-world attacks, the response packet sent by the attacker can be used to place malware on the victim's computer.[1] The need for a timing advantage makes the attack difficult to execute, as it requires a privileged position in the network, for example on the internet backbone.[2] Potentially, this class of attack may be performed within a local network (assuming a privileged position), research has shown that it has been successful within critical infrastructure.[3]

The 2013 global surveillance revelations revealed that the US National Security Agency (NSA) widely uses a man-on-the-side attack to infect targets with malware through its QUANTUM program.[1]

GitHub suffered such an attack in 2015.[4] The Russian Threat Group might have suffered a similar attack in 2019.


Man-on-the-side has become a more familiarized term after Edward Snowden leaked information about the NSA's quantum insert project. Man-on-the-side attack involves a cyber-attacker in a conversation between two people or two parties who are communicating online. The cyber-attacker is able to intercept and inject messages into the communication between the two parties.[5] However, the cyber-attacker is not able to remove any signals on communication channels. Man-on-the-side attack can be applied to websites while retrieving online file downloads. The cyber-attacker is able to receive signals and perform the attack through a satellite. As long as they have a satellite dish in the place they're residing in, they will be able to read transmissions and receive signals. Satellites tend to have high latency, which gives the cyber attacker enough time to send their injected response to the victim before the actual response from one party reaches the other through the satellite link.[5] Therefore, this is the reason why an attacker relies on timing advantage.

The main difference between man-in-the-middle attack and man-on-the-side-attack is that man-in-the-middle attackers are able to intercept and block messages and signals from transmitting, whilst man-on-the-side attackers are able to intercept and inject messages and signals before the other party receives a legitimate response.

Since man-on-the-side attack requires a strong timing advantage, a reason to why people use Man-on-the-side attack may be explained through their psychological behaviour. Faculty Member from the University of Stavanger, Maria Kjaerland, conducted an exploration study to examine the relationship between different cyber offences and psychological behaviours.[6] She concluded that web compromise is a common activity for hackers attacking targets for challenge because it relies on attackers having accurate timing in leaving messages victims. They can be easily caught if the timing is incorrect and will not be able to make up for it. Therefore, this challenge bears higher consequences amongst other types of attacks.[6] Therefore,  Similarly, man-on-the-side attack also require attackers to rely on having time advantage in order to retrieving and modifying information from victims without them realising or determining what the hacker has done.



In 2019, it was reported that man-on-the-side attack might have been conceived by the Russian Threat Group through installing Malwares. When victim used the internet and requested to download a file at a particular website, man-on-the-side attackers who were present were aware that the victims were attempting to download the file. Since the man-on-the-side attackers were not able to prohibit the victim from downloading the file, what they could do was to intercept the server and send a signal to the victim before the victim received a legitimate response, which was the requested download file.[7] The attacker then intercepted and sent the victims a message that directed them to a 302 error site, which led the victim to think that the file has been removed or it simply cannot be downloaded. However, even though the victim would receive a legitimate response from the website file download, since their servers were already contaminated, they would not have been able to view the legitimate website and file sine they received a so-called proper response from the attacking team.[8] At the 302 error site, the attacking team directed the victims to an alternative website to download the files they wanted to, which the attacking team controlled and ran. When the victim connected to the attacking team's server, not known to their knowledge, they would start downloading the file because on the victim's screen, it shows that this site is working and they can finally download the file.[9] However, the attacking team had already found the original file from the legitimate website and modified the file to include pieces of malwares and sent the file back to the victim. When the victim clicked on the link and started downloading the file, they were already downloading a file that consisted of malwares.


In 2015, the two GitHub repositories suffered a flooded attack due to man-on-the-side attack. When a user outside of China attempts to browse a Chinese website, they are required to pass the Chinese Internet Infrastructure before automatically being directed to the website. The infrastructure allowed the request to the legitimate Chinese website the user wanted to browse to without any modifications involved. The response came back from the website, but as it passed through the Chinese Internet Infrastructure, before it could get back to the user, the response had been modified. The modification involved a malware that changed the Baidu analytics script from only accessing Baidu to the user-making request to access the two GitHub Repositories as they continued browse the website.[10] The user, who was able to continue browsing the Chinese search engine, Baidu, were innocent since they were absolutely unaware of the fact that their response involved an embedded malicious script, which would make a request to access GitHub on the side.[10] This happened to all users outside of china who was trying to seek access to a Chinese website, which resulted in extremely high volumes of requests being made to the two GitHub Repositories. The enormous load GitHub had to bear had caused the server to flood and was thus attacked.

Preventing Attacks[edit]

Ways to prevent and mitigate attack on a Micro Level[edit]

1.     Get an Insurance coverage

If a malware is detected that results in you losing your data stored, it may be financially affected. Insurance coverage ensures that financial losses are covered. This is beneficial for companies because losses to consumers or businesses impacted may result in millions and billions of dollars of losses, or even face bankruptcies. In 2017, the NotPetya cyber attack caused companies to suffer a 10 billion in worldwide damage.[11]

2.     Familiarising with Malware products

An observational study conducted[12] has concluded that although many people acknowledge the need in downloading malware defence products, many people are not familiar with the functions of it and how it helps protects users from being exposed to attacks. For example, many users ignore software notification alert messages when downloading potentially harmful files, which makes them more susceptible to attacks. Therefore, users should use the malware defence products effectively to prevent unnecessary successful cyber-attacks.

3. Acknowledging different types of cyber attacks

In the software cybersecurity market, there are many different types of malware defence products. It is essential to gain a holistic view of the risks associated with cyber attacks so users purchase the most effective malware defence software. The three main pillars of the risks are threat type, likelihood of occurrence score, and Vulnerability.[13] The relationships between the three pillars of risks are as follows. If the threat is low, suggesting that attacking results in a limited effect on a micro and macro scale, an attacker requires a low level of IT skills; thus, the vulnerability and the likelihood of the attack would be high. On the other hand, if the threat is high, meaning that attacking results in a limited effect on a micro and macro scale, the vulnerability and the likelihood of the attack would be low. It is important to acknowledge what kind of data and information you aim to protect and purchase the malware software accordingly.[13] Since man-on-the-side attack relies on accurate timing, it is considered to have a high threat but low likelihood of occurrence and vulnerability. Therefore, the extent to which households need to purchase malware defences to prevent man-on-the-side attack would not be necessary.

Ways to prevent and mitigate attacks on a macro level[edit]

1. Promoting digital safety and security through knowledge, skills and innovation

The government should urge technological firms to perform advanced research and development to produce safe digital technologies and infrastructures. This could enhance safe and secure digital practices at all levels of society. For example, in Austria, this is one of the main strategies the government aims to adopt for the development of security technology. R&D may include developing and strengthening cyber-security programmes, and providing training for the emergence of cyber-security experts.[13]

2. Enhancing Crisis Response

As technology advances, there are simultaneously greater varieties of attacks that occur. Governments are encouraged to go beyond their understanding from professional and educational knowledge and to exercise a contingency plan through simulated cyber incidents to gauge a practical level of preparedness.[14] Therefore, this enhances the government's resilience in mitigating and adapting to risks posed by cyber attacks. The government must be aware of the budget allocated in anti virus software since they have different functionalities and should draw a balance between the sophistication, risk and vulnerability of the attack since it impacts the likelihood of an attack.[10]


  1. ^ a b Gallagher, Ryan; Greenwald, Glenn (12 March 2014). "How the NSA Plans to Infect 'Millions' of Computers with Malware". The Intercept. Retrieved 15 March 2014.
  2. ^ Schneier, Bruce (4 October 2013). "Attacking Tor: how the NSA targets users' online anonymity". The Guardian. Retrieved 15 March 2014.
  3. ^ Maynard, Peter; McLaughlin, Kieran (1 May 2020). "Towards Understanding Man-on-the-Side Attacks (MotS) in SCADA Networks". 17th International Conference on Security and Cryptography (SECRYPT 2020). arXiv:2004.14334. Bibcode:2020arXiv200414334M.
  4. ^ Hjelmvik, Erik (31 March 2015). "China's Man-on-the-Side Attack on GitHub". NetreseC. Retrieved 16 April 2020.
  5. ^ a b Mushtaq, Maria et al. 2020. "WHISPER: A Tool For Run-Time Detection Of Side-Channel Attacks." IEEE Access 8:83871-83900.
  6. ^ a b Kjaerland, Maria. 2005. "A Classification Of Computer Security Incidents Based On Reported Attack Data." Journal of Investigative Psychology and Offender Profiling 2(2):105-120.
  7. ^ "Russian Threat Group May Have Devised a 'Man-on-the-Side' Attack". Dark Reading. Retrieved 2020-11-14.
  8. ^ "GitHub DDoS Attack Traces to China". Retrieved 2020-12-06.
  9. ^ Mozur, Paul (2015-03-30). "China Appears to Attack GitHub by Diverting Web Traffic (Published 2015)". The New York Times. ISSN 0362-4331. Retrieved 2020-12-06.
  10. ^ a b c Albahar, Marwan. 2017. "Cyber Attacks And Terrorism: A Twenty-First Century Conundrum." Science and Engineering Ethics 25(4):993-1008.
  11. ^ Ruhl, Christian, Duncan Hollis, Wyatt Hoffman, and Tim Maurer. 2020. "Cyberspace and Geopolitics: Assessing Global Cybersecurity Norm Processes at a Crossroads"Carnegie Endowment for International Peace. 14(1): 7-32
  12. ^ Lévesque, F., Chiasson, S., Somayaji, A. and Fernandez, J., 2018. "Technological and Human Factors of Malware Attacks". ACM Transactions on Privacy and Security, 21(4), pp.1-30.
  13. ^ a b c Haddad, Christian, and Clemens Binder. 2019. "Governing Through Cybersecurity: National Policy Strategies, Globalized (In‑)Security And Sociotechnical Visions Of The Digital Society." Österreichische Zeitschrift für Soziologie 44(S1):115-134. [PDF]
  14. ^ Douzet, Frederick. 2014. "Understanding Cyberspace with Geopolitics". In Hérodote 152(1): 3-21