Cyber Threats #MITM#man in the middle#ARP spoofing

Real-World Man-in-the-Middle Attacks: Examples and Defense

Explore real-world MITM attack scenarios — ARP spoofing, SSL stripping, rogue WiFi, and BGP hijacking — with defenses for each.

7 min read

Man-in-the-middle (MITM) attacks position an attacker between two communicating parties, allowing them to intercept, read, or modify traffic. Unlike active exploits, MITM often starts passively — observing traffic before deciding whether to intercept or modify. Here’s how MITM works in practice across different scenarios.

ARP Spoofing (Local Network)

ARP (Address Resolution Protocol) maps IP addresses to MAC addresses on local networks. It’s stateless and unauthenticated — anyone can claim any IP.

How It Works

# On attacker machine (Kali Linux / Bettercap)
# Send gratuitous ARP replies claiming to be the gateway
bettercap -iface eth0 -eval "set arp.spoof.targets 192.168.1.105; arp.spoof on; net.probe on"
  1. Attacker sends ARP replies claiming their MAC address is the gateway’s IP (192.168.1.1)
  2. Victim’s ARP table is updated — victim now sends all traffic to attacker instead of gateway
  3. Attacker forwards traffic to the real gateway (transparent relay)
  4. All victim traffic passes through attacker’s machine

With ARP spoofing in place, the attacker can:

  • Capture credentials from unencrypted protocols (HTTP, FTP, SMTP without TLS)
  • SSL strip attacks (downgrade HTTPS to HTTP)
  • Inject content into HTTP responses
  • Capture cookies from unencrypted sessions

Defense:

  • Dynamic ARP Inspection (DAI): enterprise switches validate ARP packets against a DHCP snooping binding table
  • VPN: encrypt all traffic — ARP spoofing still intercepts packets but can’t decrypt them
  • HTTPS Everywhere + HSTS: HSTS prevents SSL stripping for known sites
  • Static ARP entries for gateway: arp -s 192.168.1.1 AA:BB:CC:DD:EE:FF

SSL Stripping

SSL stripping downgrades HTTPS connections to HTTP:

  1. Victim requests http://bank.com (initial HTTP request)
  2. Server redirects to https://bank.com
  3. MITM intercepts the redirect — fetches HTTPS from the server but serves HTTP to victim
  4. Victim sees the site over HTTP; attacker sees all traffic in plaintext
  5. The URL bar shows http://bank.com — users often don’t notice
# SSLStrip (classic tool)
sslstrip -l 10000
iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-port 10000

Defense:

  • HSTS (HTTP Strict Transport Security): server tells browser to always use HTTPS
    Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
  • HSTS Preloading: browser has a hardcoded list of HSTS domains — never uses HTTP regardless of what MITM serves
  • Visit only HTTPS URLs: type https:// explicitly; browser extensions force HTTPS

Rogue WiFi Access Points (Evil Twin)

A rogue access point mimics a legitimate network to intercept traffic.

Attack Setup

# Create a rogue AP with same SSID as target
# Using hostapd + bettercap or airbase-ng

# hostapd config
cat > /tmp/hostapd.conf << EOF
interface=wlan0mon
driver=nl80211
ssid=CoffeeShop_WiFi   # Same as legitimate AP
channel=6
hw_mode=g
EOF

hostapd /tmp/hostapd.conf

The rogue AP sends stronger signal than the legitimate one, causing devices to deauthenticate and connect to the attacker.

Real-world variant: captive portal evil twin — the rogue AP shows a fake “connect to WiFi” page that steals credentials or installs malware before granting internet access.

Defense:

  • VPN: all traffic encrypted regardless of which WiFi you’re on
  • Don’t trust WiFi networks without a VPN on untrusted networks
  • 802.1X authentication (WPA2/3-Enterprise): each user has unique credentials, rogue APs can’t easily replicate
  • Be suspicious of duplicate SSID networks — check signal source with WiFi Analyzer

BGP Hijacking (Internet-Scale)

Border Gateway Protocol (BGP) routes traffic between autonomous systems (ISPs, cloud providers). BGP trusts that networks only advertise their own IP ranges — there’s no cryptographic verification.

A BGP hijack occurs when a network (maliciously or misconfigured) announces another network’s IP prefix:

  1. Attacker’s AS announces 203.0.113.0/24 (a prefix they don’t own)
  2. Some routers accept the announcement (shortest path or misconfiguration)
  3. Traffic destined for 203.0.113.x routes to attacker’s network
  4. Attacker can read, modify, or drop the traffic before forwarding

Historical examples:

  • 2010: Pakistan Telecom’s misconfiguration hijacked YouTube’s traffic globally for 18 minutes
  • 2018: BGP hijack redirected Amazon Route 53 DNS traffic for 2 hours, used to steal $150,000 in cryptocurrency (MyEtherWallet users)
  • 2019: BGP route leak from small ISP rerouted Google’s traffic through China Telecom

Defense:

  • RPKI (Resource Public Key Infrastructure): cryptographically validates BGP announcements; operators with RPKI ROAs can reject invalid route announcements
  • BGP route filtering: ISPs filter routes from customers to only allow their legitimate prefixes
  • HTTPS + certificate pinning: even if BGP routes traffic to attacker, valid TLS certificate is required
  • Limited without ISP/carrier cooperation

DNS Hijacking

Modify DNS responses to redirect users to attacker-controlled servers:

Methods:

  • Compromise home router’s DNS settings (change to rogue DNS server)
  • On-path attack: intercept DNS queries and return forged responses
  • Compromise authoritative DNS server or registrar account
# Intercept and modify DNS with Scapy (conceptual)
from scapy.all import *

def dns_spoof(pkt):
    if pkt.haslayer(DNS) and pkt[DNS].qr == 0:  # DNS query
        if 'bank.com' in pkt[DNS].qd.qname.decode():
            # Send forged response
            spoofed = IP(dst=pkt[IP].src) / UDP(dport=pkt[UDP].sport) / \
                      DNS(id=pkt[DNS].id, qr=1, aa=1, 
                          an=DNSRR(rrname=pkt[DNS].qd.qname, rdata='attacker.ip'))
            send(spoofed)

sniff(filter="udp port 53", prn=dns_spoof)

Defense:

  • DNSSEC: cryptographically signs DNS records — forged responses fail signature verification
  • DNS over HTTPS (DoH) / DNS over TLS (DoT): encrypts DNS queries, prevents on-path interception
  • HTTPS + certificate transparency: even with DNS hijacked, the attacker can’t get a valid TLS certificate for the victim’s domain (without compromising a CA)
  • Lock down router DNS settings with a strong admin password; use DoH upstream resolvers

MITM attacks exploit trust assumptions built into network protocols designed in an era when the internet was a cooperative research network. Modern defenses layer cryptography (TLS, DNSSEC, RPKI) on top of those protocols to add the authentication that was originally missing.

#network security #ARP spoofing #man in the middle #MITM