🛡️

On-Path Attacks Overview

Jun 16, 2025

Overview

This lecture covers on-path attacks (also known as man-in-the-middle attacks), with emphasis on ARP poisoning, browser-based attacks, and wireless evil twin access points, along with ways to protect communications.

On-Path Attacks (Man-in-the-Middle)

  • On-path attacks allow an attacker to intercept or alter communication between two devices without their knowledge.
  • Both end devices are usually unaware their conversation is being monitored or manipulated.
  • Standard security software at endpoints may not detect these attacks.

ARP Poisoning (ARP Spoofing)

  • ARP (Address Resolution Protocol) is used for mapping IP addresses to MAC addresses.
  • ARP has no built-in security, making it vulnerable to spoofing.
  • Attackers send fake ARP responses to devices on the same subnet, associating their MAC address with a different IP (e.g., the router).
  • The victim device updates its ARP cache with the attacker’s MAC address for the legitimate IP.
  • Traffic meant for the router is sent to the attacker instead.
  • Attackers often poison both victim and router to intercept all traffic.

On-Path Browser Attacks

  • Attackers may install proxy software on a victim’s device to intercept browser traffic.
  • The proxy can capture credentials and session data as users access sensitive sites (e.g., online banking).
  • Victims are unaware because web content appears normal.

Wireless Evil Twin Attacks

  • Attackers set up a rogue access point with the same SSID and security settings as legitimate public Wi-Fi.
  • Users may unknowingly connect to the attacker’s access point in places like airports or coffee shops.
  • The attacker can monitor or modify all traffic over their rogue access point.

Defenses Against On-Path Attacks

  • Always use encrypted communication channels (e.g., HTTPS).
  • On public networks, use a Virtual Private Network (VPN) to secure data.

Key Terms & Definitions

  • On-path (Man-in-the-Middle) Attack — An attack where communication between two devices is secretly intercepted or altered.
  • ARP (Address Resolution Protocol) — Protocol mapping IP addresses to MAC addresses in local networks.
  • ARP Poisoning/Spoofing — Sending fake ARP messages to redirect network traffic through an attacker’s device.
  • Proxy — Software that intercepts and possibly manipulates network traffic.
  • Evil Twin — A rogue Wi-Fi access point imitating a legitimate one to intercept user data.
  • VPN (Virtual Private Network) — A secure tunnel for encrypting network traffic, especially on untrusted networks.

Action Items / Next Steps

  • Review how ARP works and why it lacks security features.
  • Practice identifying suspicious Wi-Fi networks and understanding VPN setup.
  • Ensure use of HTTPS when browsing and consider VPN usage on public networks.

Full transcript