How to Prevent Man In the Middle Attack? (original) (raw)

Last Updated : 6 Dec, 2025

A Man-in-the-Middle (MITM) attack occurs when an attacker secretly positions themselves between two communicating parties (e.g., your browser and a web server), so they can intercept, read, and often modify the messages passing between them all without either party knowing.

For example, suppose you are connected to a Wi-Fi network and doing a transaction with your bank. An attacker is also connected to the same Wi-Fi. The attacker does the following:

• The attacker sends the rogue ARP packets in the network that map the IP address of the access point to the MAC address of the attacker's device.
• Each device connected in the network caches the entry contained in the rogue packets.
• Your device uses ARP to send the packets destined for your bank's web server to the access point (which is the default gateway for the network).
• The packets get sent to the attacker's machine.
• Attackers can now read and modify the requests contained in the packets before forwarding them.

This way the attacker is suitably situated between you and your bank's server. Every bit of sensitive data that you send to your server including your login password, is visible to the attacker. **ARP cache poisoning is one of the ways to perform an MITM attack, other ways are:

• DNS spoofing.
• IP spoofing.
• Setting up a rogue Wi-Fi AP.
• SSL spoofing, etc.

SSL/TLS protects data by encrypting it so only the legitimate endpoints can read it — but only when it’s configured correctly. Even with encryption, an attacker who records (captures) a valid encrypted login request can replay that request later to impersonate the user unless the application prevents re-use.

**Replay protection (nonce)

A nonce is a one time, unique value the server gives the client before login. The client sends the nonce with the username/password and the server accepts it only once. Because the nonce is single-use, replaying a previously captured request fails so nonces stop replay attacks.

Types of Man-in-the-Middle Attacks

• **Rogue Access Point: Attackers set up a fake Wi-Fi hotspot with a strong signal. Devices auto-connect, sending all traffic through the attacker.
• **ARP Spoofing: Attackers trick devices by sending fake ARP responses, making traffic meant for the gateway go through their machine.
• **DNS Spoofing: Attackers corrupt DNS cache so domain names resolve to malicious IPs, redirecting users to fake sites.
• **Email Phishing: Fake emails (e.g., from a “bank” or “boss”) trick users into revealing login credentials or sensitive info.
• **Router Spoofing: Attackers create a fake Wi-Fi network that looks legitimate; once users connect, their data is intercepted.

Man-in-the-Middle Attack Techniques

• **Sniffing: Capturing network traffic to read or analyze data between devices.
• **Packet Injection: Inserting fake/malicious packets into normal data streams to manipulate communication.
• **SSL Stripping: Downgrading secure HTTPS connections to insecure HTTP, letting attackers see and change data.
• **Eavesdropping: Secretly listening to communication sessions to steal or alter information.

How to Detect a Man-in-the-Middle Attack?

• **Fake websites: Hackers use a man-in-the-middle attack to direct you to a web page or site that they control. Because they only have access to your internet connection and the traffic flowing from your device, not the contents of your computer.
• **Unusual Network Activity: A significant increase in network traffic may indicate a man-in-the-middle (MIT) attack. unusual connections or requests from unusual sources can indicate that an attacker is trying to steal data packets.
• **Suspicious certificates: If your browser displays a certificate warning, it indicates that you are going to visit a website that has been encrypted by a criminal as part of an MITM attack. You should not go to the website.
• **Unexpected Credential Requests: If a website or application requests credentials that the user is unfamiliar with, this may indicate a man-in-the-middle attack.
• **Unusual Login Errors: If a user encounters login errors after entering the correct credentials, it may indicate that an attacker is attempting to steal data packets.
• **Unexpected Pop-Ups: Unexpected pop-up windows or notifications could indicate a man-in-the-middle attack.

**How to prevent Man-in-the-Middle attacks?

• Always use trusted networks and devices to log in to sensitive websites.
• Avoid connecting to a Wi-Fi that is open(unencrypted).
• Keeping networks secure from unwanted external access.
• In case you have to use a public computer, check its browser for the presence of any rogue certificate and make sure that there aren’t any. Check the hosts’ file too.
• When connected to a public network or using a public computer, perform a traceroute to the website you want to access and see the route taken by the packets for anything suspicious. For example, packets going to an IP different from the IP whose last octet is 1 (the IP of your gateway).

**Case Study of Man In the Middle Attack

• **Case Study 1 (Equifax App): The app didn’t use HTTPS, so attackers intercepted and stole user data during logins.
• **Case Study 2 (Registrar Breach): Attackers stole valid certificates, created fake websites, and tricked users into sharing sensitive data.
• **Case Study 3 (Bank Phishing): Attackers sent fake login-alert emails with a malicious link. Victims entered details on a fake site, which gave attackers access to their bank accounts.

**Users should be aware of

• Public Wi-Fi Network.
• Don't access that Wi-Fi where the name of the Wi-Fi does not seem to be right.