In a man-in-the-middle attack, an attacker inserts themselves between the source and destination to eavesdrop on communications or to modify traffic before it reaches the destination.

ARP Spoofing

AKA ARP poisoning. This is also and example of a spoofing attack.

A host sends an ARP request asking for the MAC address of another device. Because ARP requests are broadcast every node in the collision domain will receive a copy, including an attacker. The attacker received the broadcast, then waits for the legitimate node to reply to the request, then sends its own fraudulent ARP reply. Since its reply will arrive last, it will overwrite the legitimate reply.

After this point any traffic the first host tries to send to the legitimate node will instead be forwarded to the attacker. The attacker can inspect or modify the messages before forwarding them. Conceivably, the attacker could forgo forwarding the traffic to the legitimate host, but that may reveal its presence to security/network engineers.

This attack compromises the confidentiality, and potentially the integrity, of the data in a network.

DHCP Poisoning

DHCP Poisoning

Similar to ARP Poisoning, this is a man-in-the-middle attack. A spurious (i.e. fake) DHCP server replies to clients’ DHCP discover messages and assigns them IP addresses, but makes the clients use the spurious server’s IP as their default gateway. The client(s) will then send traffic to the attacker rather than the legitimate default gateway, allowing the attacker to examine and modify the traffic before forwarding it to the legitimate default gateway.


In DHCP poisoning clients will receive offers from both the spurious and the legitimate DHCP servers. DHCP clients usually accept the first DHCP offer they receive. If the spurious server and legitimate server are both in the local network, it may not be clear which one’s offer a client will receive first, but if the spurious server is local and the legitimate server is remote (communicating through a DHCP Relay Agent) then it’s almost certain that the spurious server’s messages will arrive first.

Link to original