What is traffic injection?

The term "traffic injection," in the context of a Man in the Middle attack, refers to any situation where the attacker is conducting a man in the middle attack and is actively modifying traffic passing between the sheep and the gateway.

This can take many forms, of course:

• Attacker can modify traffic from gateway to sheep, or from sheep to gateway
• Attacker can selectively drop packets for denial of service of certain protocols/content
• Attacker can perform search/replace on traffic (e.g., replace all images with other images)
• Attacker can inject things into traffic, e.g., particular content, javascript/css files, etc.

how it works

Typically, the way this works is, a man in the middle attacker will set up an HTTP and/or HTTPS proxy server. On one side of the proxy server is the sheep, and on the other side of the proxy server is the client. As traffic from the sheep enters the proxy server, it is passed through any traffic filters, its headers updated, and when (if) it comes out the other side, it is forwarded along to the gateway. Likewise, as traffic from the gateway enters the proxy server, it is passed through different traffic filters, its headers updated, and when (if) it comes out the other side, it is forwarded along to the sheep.

This gives the attacker control of traffic. The different forms of traffic injection (modification, selective drops, search/replace, etc) take the form of different filters that the attacker writes and drops into the proxy server.