🕵️‍♂️

On-Path Attacks 40

Sep 13, 2025

Overview

The lecture explains on-path attacks, focusing on how attackers intercept and manipulate communication between network devices using techniques such as ARP poisoning, browser proxy attacks, and wireless evil twins.

On-Path Attacks Explained

  • On-path attacks allow an attacker to secretly monitor or alter traffic between two communicating devices.
  • Victims are often unaware that their communications are being intercepted.
  • Security software on endpoints may not detect on-path attacks.

ARP Poisoning / ARP Spoofing

  • ARP poisoning exploits the lack of security in the Address Resolution Protocol (ARP).
  • Attackers send fake ARP responses to devices, mapping their own MAC address to another device's IP.
  • The victim device updates its ARP cache with the malicious entry, routing its traffic through the attacker's device.
  • This allows the attacker to monitor or modify traffic between devices, e.g., between a laptop and a router.
  • Attackers often target both endpoints to maintain full visibility of the conversation.

On-Path Browser Attacks

  • Attackers install proxy malware on a victim’s browser to intercept web traffic locally.
  • The proxy silently collects sensitive data, such as banking credentials, as the user browses.
  • These attacks are difficult to detect since everything appears normal to the victim.

Wireless Evil Twin Attacks

  • Attackers create rogue wireless access points with names (SSIDs) identical or similar to legitimate ones.
  • Users may unknowingly connect to the attacker’s access point, enabling interception or alteration of their communications.
  • Such attacks are common in public areas like airports and coffee shops, especially on open Wi-Fi networks.

Defense Strategies

  • Always use encrypted communication channels (e.g., HTTPS websites).
  • Use Virtual Private Networks (VPNs) when connected to public wireless networks.

Key Terms & Definitions

  • On-Path Attack — An attack where the attacker secretly monitors or alters network traffic between two parties.
  • ARP Poisoning/Spoofing — Sending fake ARP responses to reroute traffic through an attacker’s device.
  • ARP (Address Resolution Protocol) — A protocol for mapping IP addresses to MAC addresses on a local network.
  • MAC address<span> (Media Access Control address) —is a unique identifier assigned to a network interface card (NIC) of a device. It is used to identify devices on a local network.</span>
  • Proxy (in browser context) — Software that intercepts and relays web communication on behalf of the user.
  • Wireless Evil Twin — A rogue Wi-Fi access point mimicking a legitimate network to intercept user data.
  • SSID (Service Set Identifier) — The name of a wireless network.
  • VPN (Virtual Private Network) — A service that encrypts network traffic across untrusted networks.

Action Items / Next Steps

  • Always connect to websites using HTTPS, especially in public settings.
  • Use a VPN when on public or unsecured Wi-Fi networks.