🌐

On-Path Attacks

Sep 4, 2025

Overview

This lecture explains on-path (man-in-the-middle) attacks, focusing on ARP poisoning and browser-based attacks that allow an attacker to intercept or alter network communications.

On-Path (Man-in-the-Middle) Attacks

  • On-path attacks allow attackers to intercept and potentially modify data exchanged between two devices.
  • End users are usually unaware that their communications are being intercepted or altered.
  • These attacks can happen at different layers, including both network and application layers.

ARP Poisoning and Spoofing Attacks

  • ARP (Address Resolution Protocol) poisoning exploits the lack of security in ARP to intercept local network traffic.
  • Devices maintain an ARP cache matching IP addresses to MAC addresses, updated as devices communicate.
  • When a device joins a network, its ARP cache starts empty and fills as it communicates with other devices.
  • No authentication exists in the ARP process, leaving it vulnerable to attack.
  • An attacker on the local subnet sends fake ARP responses, making devices associate the attacker's MAC address with a legitimate IP (e.g., the router).
  • This causes network traffic intended for one device to be intercepted by the attacker.
  • The attacker repeats the process in the opposite direction to fully sit between two devices.
  • ARP poisoning requires the attacker to have access to the same local subnet as the targets.

Browser-Based On-Path Attacks

  • On-path browser attacks involve malware inside the victim’s browser, capturing data before it is encrypted.
  • These attacks do not require access to the local network or subnet, only access to the victim device.
  • The attacker can see all unencrypted data entered or displayed in the browser, including sensitive information like banking credentials.
  • With control of the browser, attackers can perform unauthorized actions, such as transferring money.

Key Terms & Definitions

  • On-Path Attack (Man-in-the-Middle Attack) — A method where an attacker intercepts and may alter communication between two devices.
  • ARP (Address Resolution Protocol) — A protocol that maps IP addresses to MAC addresses within a local network.
  • ARP Poisoning (ARP Spoofing) — An attack where false ARP responses redirect network traffic through the attacker’s device.
  • ARP Cache — A table in each device storing mappings of IP addresses to MAC addresses.
  • Browser-Based On-Path Attack — An attack where malware inside the browser intercepts and manipulates browser data.

Action Items / Next Steps

  • Review ARP mechanisms and its security limitations.
  • Learn methods to detect and prevent ARP poisoning and browser-based on-path attacks.

Full transcript