What is an on-path attack?

Table of Contents 4 sections

What is an On-Path Attack?

An on-path attack, also referred to as a man-in-the-middle (MITM) attack, is a cyberattack in which an attacker secretly inserts themselves into the communication channel between two parties who believe they are communicating directly with each other. The attacker can passively eavesdrop on the communication to steal sensitive information or actively modify the data in transit to manipulate the conversation, inject malicious content, or redirect transactions.

On-path attacks are effective because the communicating parties are typically unaware that a third party is intercepting their traffic. The attacker acts as an invisible relay, receiving messages from one party, potentially reading or altering them, and forwarding them to the intended recipient. This enables a wide range of malicious activities including credential theft, session hijacking, data manipulation, and malware injection.

How On-Path Attacks Work

ARP spoofing is a common technique used to execute on-path attacks on local area networks. The attacker sends forged Address Resolution Protocol (ARP) messages to associate their MAC address with the IP address of a legitimate network device, such as the default gateway. This causes traffic intended for the gateway to be sent to the attacker's machine instead, allowing them to intercept all outbound network traffic from other devices on the same network segment.

On wireless networks, attackers can create rogue access points, sometimes called "evil twin" hotspots, that mimic legitimate WiFi networks. When users connect to the malicious access point, all their traffic passes through the attacker's system. DNS spoofing, SSL stripping, and HTTPS interception through fraudulent certificates are additional techniques that enable on-path attacks at different layers of the network stack.

Types of On-Path Attacks

SSL/TLS interception attacks attempt to compromise encrypted communications. In SSL stripping, the attacker downgrades a connection from HTTPS to HTTP, allowing them to read plaintext traffic. More sophisticated attacks use fraudulently obtained or compromised SSL certificates to establish separate encrypted sessions with each party, decrypting and re-encrypting traffic as it passes through the attacker's system.

Session hijacking involves stealing or forging session tokens after a user has authenticated, allowing the attacker to impersonate the authenticated user without knowing their credentials. Email hijacking targets business communications by intercepting and modifying email messages, often used in Business Email Compromise (BEC) attacks to redirect financial transactions. IP spoofing and BGP hijacking enable on-path attacks at the network routing level, potentially affecting traffic between entire organizations or networks.

Preventing On-Path Attacks

End-to-end encryption is the most effective defense against on-path attacks. HTTPS, enforced through HTTP Strict Transport Security (HSTS), ensures that web traffic is encrypted and cannot be downgraded to unencrypted HTTP. Certificate pinning allows applications to verify that the server's certificate matches an expected value, detecting fraudulent certificates used in HTTPS interception attacks.

Virtual Private Networks (VPNs) encrypt all traffic between a device and the VPN server, protecting against on-path attacks on untrusted networks such as public WiFi. On local networks, implementing Dynamic ARP Inspection (DAI) and DHCP snooping on network switches prevents ARP spoofing attacks. Network authentication protocols like 802.1X ensure that only authorized devices can connect to the network. Mutual TLS authentication, where both client and server verify each other's certificates, provides strong protection against on-path attacks in application-to-application communications.