On-Path Attack
A network attack where the attacker positions themselves between two communicating devices and intercepts β and optionally modifies β all traffic passing between them. Both victims believe they are communicating directly with each other and remain unaware of the attacker's presence. Formerly called a man-in-the-middle (MITM) attack. Enables credential theft, session hijacking, data modification, and traffic injection.
ARP (Address Resolution Protocol)
A Layer 2 protocol that maps IP addresses to MAC addresses within a local subnet. When a device knows another device's IP address but not its MAC address, it broadcasts an ARP request asking "who has IP X?" The device with that IP responds with its MAC. The requesting device stores the result in its ARP cache. ARP has no authentication β any device can respond to any ARP request, or send unsolicited ARP replies, with no verification.
MAC Address
A hardware identifier assigned to each network interface, used for communication within a local network segment. While IP addresses handle routing between networks, MAC addresses are what local network equipment (switches) uses to deliver frames between devices on the same subnet. MAC addresses are 48-bit values typically displayed in hexadecimal (e.g., AA:BB:CC:DD:EE:FF). ARP poisoning attacks exploit the fact that local networks rely on MAC addresses for delivery.
ARP Cache
A temporary table maintained by each networked device that stores IP address-to-MAC address mappings learned through ARP. When a device needs to communicate with an IP address on the same subnet, it checks its ARP cache first; if the entry exists, it uses the stored MAC address without broadcasting. ARP cache entries expire after a timeout period and are refreshed by new ARP activity. Because ARP caches accept unsolicited updates without authentication, they are the target of ARP poisoning attacks.
ARP Poisoning (ARP Spoofing)
An on-path attack technique that corrupts the ARP caches of targeted devices by sending forged, unsolicited ARP replies. The attacker claims to be a legitimate device (typically the default gateway/router) and overwrites the victim's cached MAC address with the attacker's own MAC. By poisoning both ends of a conversation, all traffic flows through the attacker. Operates only within a single subnet β ARP does not cross network layer boundaries. Mitigated by dynamic ARP inspection (DAI) on managed switches.
Gratuitous ARP
An unsolicited ARP reply that a device sends without having received an ARP request. Gratuitous ARPs are used legitimately (e.g., a device announcing its presence after an IP change or network reconnection), but attackers exploit the same mechanism to inject false IP-to-MAC mappings into other devices' ARP caches. Because ARP caches accept these unsolicited updates, repeated gratuitous ARPs are the primary technique used in ARP poisoning attacks.
On-Path Browser Attack
An on-path attack variant where malware installed on the victim's own device intercepts browser communications before encryption is applied and after decryption. Unlike network-layer on-path attacks, the browser attack operates locally β inside the victim's device β which means it bypasses HTTPS, TLS, and all network-layer security controls. The malware typically targets banking sessions, capturing credentials and silently initiating unauthorized transactions while the victim interacts normally with the banking website. Formerly called man-in-the-browser (MITB).
Dynamic ARP Inspection (DAI)
A switch-level security feature that validates ARP packets by comparing them against a trusted binding table (typically derived from DHCP snooping). Any ARP reply claiming an IP-to-MAC mapping that contradicts the binding table is dropped. DAI prevents ARP poisoning attacks by ensuring that only legitimate, validated ARP responses are accepted and cached by devices on the network. Available on enterprise-grade managed switches. Requires proper DHCP snooping configuration to build the binding table.
DHCP Snooping
A switch security feature that inspects DHCP traffic and builds a binding table recording the IP addresses legitimately assigned to each switch port (and the corresponding MAC address). This binding table serves as the trusted reference for Dynamic ARP Inspection β if an ARP reply claims an IP is at a MAC that doesn't match the DHCP snooping table, it's flagged as potentially malicious. DHCP snooping also prevents rogue DHCP servers from assigning addresses to clients.
Session Hijacking
An attack where the attacker captures a valid session token (a credential issued by a server after successful authentication) and uses it to impersonate the legitimate user without knowing their password. On-path attacks are one mechanism for session hijacking β by intercepting all traffic between a client and server, the attacker captures the session token and can replay it to the server from their own device. Mitigated by encrypting traffic (HTTPS), short session token lifetimes, and binding session tokens to client IP addresses.
SSL Stripping
An on-path attack technique where the attacker intercepts a client's initial HTTP request to a website and establishes an HTTPS connection to the server on the client's behalf β while serving the client an unencrypted HTTP version of the page. From the server's perspective, the connection is secure; from the client's perspective, the site appears to be in HTTP; only the attacker sees both sides. The client's data is transmitted in plaintext to the attacker. Mitigated by HTTP Strict Transport Security (HSTS) and HTTPS-only policies.
Network Segmentation
The practice of dividing a network into multiple isolated subnets or VLANs, with controlled access between segments. Directly limits ARP poisoning attacks β since ARP operates only within a single subnet, an attacker must be on the same subnet as both victims to execute an on-path attack. By separating workstations from servers, finance systems from general users, and guests from internal networks, segmentation ensures that even a compromised device can only reach β and potentially intercept β traffic on its own segment.