Cyber Threats #MITM#man-in-the-middle#ARP spoofing

Man-in-the-Middle Attacks: How They Work and How to Stop Them

Learn how MITM attacks work—ARP spoofing, SSL stripping, evil twin Wi-Fi, and DNS poisoning—plus practical defenses to protect your network traffic.

7 min read

A man-in-the-middle (MITM) attack occurs when an attacker secretly intercepts and potentially modifies communications between two parties who believe they’re communicating directly. The attacker positions themselves in the communication path — receiving data from both sides, optionally modifying it, and forwarding it along — while remaining invisible to both victims. MITM attacks can intercept credentials, session tokens, financial transactions, and private communications.

How MITM Attacks Work

At a high level, a MITM attack requires two capabilities:

  1. Traffic interception — getting the victim’s network traffic to flow through the attacker
  2. Traffic decryption (if applicable) — reading HTTPS/TLS-protected content

Different techniques achieve these goals.

ARP Spoofing / ARP Poisoning

ARP (Address Resolution Protocol) maps IP addresses to MAC (hardware) addresses on local networks. It has no authentication — any device can claim to be any other device.

How it works: The attacker sends fake ARP reply packets to both the victim and the router, claiming the attacker’s MAC address corresponds to the other party’s IP:

Attacker sends to victim: "192.168.1.1 (router) is at AA:BB:CC:DD:EE:FF" (attacker's MAC)
Attacker sends to router: "192.168.1.50 (victim) is at AA:BB:CC:DD:EE:FF" (attacker's MAC)

Both victim and router update their ARP tables. Traffic meant for each destination now flows through the attacker.

Tools: Bettercap (arp.spoof on), Ettercap.

Limitations: Works only on local network segments (LAN). Doesn’t affect internet traffic unless you’re on the same network as the victim.

Detection: ARP monitoring tools (ArpON, XArp) detect anomalous ARP replies. Static ARP entries for critical devices prevent spoofing.

SSL Stripping

After ARP spoofing succeeds, the attacker is in the traffic path — but HTTPS encrypts the content. SSL stripping downgrades HTTPS connections to HTTP:

  1. Victim requests https://bank.com
  2. Attacker intercepts the request
  3. Attacker connects to https://bank.com on behalf of the victim (encrypted connection to server)
  4. Attacker serves the victim http://bank.com (unencrypted)
  5. Victim sees the site normally but over HTTP — attacker sees everything in plaintext

SSL stripping was pioneered by Moxie Marlinspike and presented at Black Hat 2009. It’s largely mitigated by HSTS (HTTP Strict Transport Security).

HSTS mitigation: Sites that use HSTS tell the browser to always use HTTPS and never downgrade. The browser refuses HTTP connections to HSTS-enabled sites. Browsers also ship with an “HSTS preload list” of major sites that can never be stripped.

Modern status: Effective against sites that don’t implement HSTS. Major sites (banks, email providers, social media) have largely adopted HSTS preloading.

Evil Twin Wi-Fi Attack

An evil twin is a rogue access point with the same SSID (network name) as a legitimate network:

  1. Attacker sets up a hotspot named “Starbucks Wi-Fi” (or matches your home network’s SSID)
  2. Attacker may send deauthentication frames to kick devices off the real network
  3. Victim’s device automatically connects to the attacker’s network (stronger signal)
  4. All victim traffic flows through the attacker’s internet connection
  5. Attacker can perform ARP spoofing and SSL stripping on this captured traffic

Tools: airbase-ng, hostapd-wpe (specialized for WPA2-Enterprise credential capture).

Defense:

  • Verify the exact BSSID (MAC address) of your known networks in Wi-Fi settings — an evil twin has a different BSSID
  • Use a VPN on untrusted networks — traffic is encrypted through the VPN tunnel before reaching the attacker
  • Look for certificate warnings — they’re a strong signal of MITM activity

DNS Poisoning / DNS Hijacking

DNS resolves domain names to IP addresses. If an attacker can control the DNS responses, they can redirect traffic:

Cache Poisoning: Injecting false DNS records into a resolver’s cache. Before DNSSEC, attackers could flood DNS resolvers with forged responses. The Kaminsky attack (2008) demonstrated mass exploitation of this.

DNS Hijacking: Compromising the DNS server itself (often consumer routers) to return attacker-controlled IPs. Many home routers run outdated DNS software with known vulnerabilities.

Defenses:

  • DNSSEC validation — cryptographically signs DNS records
  • DNS-over-HTTPS or DNS-over-TLS — encrypts DNS queries so ISP/attacker on path can’t see or modify them

BGP Hijacking

Border Gateway Protocol (BGP) routes internet traffic between autonomous systems (large networks). BGP has no built-in authentication, so operators can announce routes for IP ranges they don’t own.

In 2018, Russia’s Rostelecom hijacked BGP routes for Google, Amazon, Facebook, and Apple for 88 minutes — all their traffic briefly routed through Russia. Typically used for traffic interception at internet-scale, though attribution is difficult.

Defense: BGP route filtering, RPKI (Resource Public Key Infrastructure) — cryptographic route origin validation increasingly deployed by major internet operators.

HTTPS Certificate Attacks

TLS/HTTPS uses certificates to authenticate the server’s identity. MITM on HTTPS requires the attacker to present a valid-appearing certificate for the target domain.

Techniques:

  • Self-signed certificate: The browser shows a warning — never click through on banking/email sites
  • Stolen or fraudulently issued certificate: In 2011, DigiNotar (Dutch CA) was compromised; attackers issued valid certificates for Google.com, used to intercept traffic for ~300,000 Iranian Gmail users
  • Installed root CA on corporate device: Enterprise network monitoring and corporate MDM solutions legitimately install custom root CAs to inspect TLS traffic — this is the same mechanism used by malicious actors

Certificate Transparency: Google’s Certificate Transparency project requires all CAs to log every issued certificate publicly. Anyone can check if unexpected certificates were issued for their domain.

Practical Defenses

VPN for public networks: A VPN encrypts all traffic before it leaves your device. An attacker on the same network sees only encrypted VPN tunnel traffic, not your actual requests.

HTTPS everywhere: Browser extensions or modern browser defaults force HTTPS whenever available. Combined with HSTS, this prevents SSL stripping on major sites.

Certificate pinning: Applications hardcode the expected certificate or public key for critical servers. A MITM certificate doesn’t match the pin, and the app refuses to connect.

Mutual TLS (mTLS): Both client and server present certificates, preventing impersonation of either party. Used in enterprise zero trust architectures.

Monitor for ARP anomalies: Run arp -a periodically. Two different IPs having the same MAC address is a strong ARP spoofing indicator. Tools like XArp monitor this automatically.

Avoid public Wi-Fi for sensitive tasks: If you must use public Wi-Fi, use a VPN, and treat all connections as potentially intercepted.

MITM attacks exploit the fundamental trust assumptions in network protocols designed decades ago. The primary defenses — HTTPS, HSTS, certificate transparency, and VPNs — have substantially reduced their effectiveness against careful users, but they remain dangerous on unencrypted protocols and careless network usage.

#network security #SSL stripping #ARP spoofing #man-in-the-middle #MITM

// related articles

cyber-threats DNS Hijacking Explained: How Attacks Work and How to Prevent Them 7 min read cyber-threats DNS Hijacking and Cache Poisoning Explained 7 min read cyber-threats DNS Hijacking: Types, How It Works, and How to Protect Yourself 7 min read