What indicator suggests that a workstation may have encountered an on-path attack?

The presence of an alternate address for the gateway in the ARP table is a strong indicator that a workstation may have encountered an on-path attack. An on-path attack, often referred to as a man-in-the-middle attack, occurs when an attacker intercepts or alters communications between two parties without their knowledge.

When a device sends data over a network, it uses the Address Resolution Protocol (ARP) to map IP addresses to MAC addresses. If an attacker compromises this process and alters the ARP table of a workstation, it may show an alternate MAC address for the default gateway. This could suggest that the workstation is being redirected to communicate with the attacker instead of the legitimate gateway, thereby enabling the attacker to intercept or manipulate the traffic.

In contrast, while frequent IP address changes, unusual outgoing traffic patterns, and unknown devices on the network can be signs of various security issues, they do not specifically indicate the presence of an on-path attack. Frequent IP changes could suggest a dynamic IP setup or network misconfiguration. Unusual outgoing traffic patterns might indicate other types of attacks, such as botnet activity or data exfiltration. Unknown devices could indicate unauthorized access or rogue devices but do not directly signal that data is being intercepted.