LOGBOOK

HELP

Quiz Entry - updated: 2026.07.05

How does an ARP spoofing/poisoning attack work, and why are hosts so vulnerable to it?

The attacker sends gratuitous ARP (Address Resolution Protocol) replies claiming their MAC (Media Access Control) address belongs to the default gateway's IP (Internet Protocol). All hosts update their ARP cache and start sending traffic to the attacker instead of the real gateway. Hosts are vulnerable because ARP has no authentication — any ARP reply is trusted.

Normal LAN routing contrasted with ARP cache poisoning, where the attacker's MAC is bound to the gateway IP for a man-in-the-middle.

* ARP poisoning redirects traffic through the attacker. — 0x55534C, CC BY-SA 3.0, via Wikimedia Commons. *

Why ARP is inherently vulnerable:

  • ARP has no authentication mechanism — there's no way to verify that an ARP reply is legitimate
  • Hosts accept unsolicited ARP replies (called "gratuitous ARPs") and update their cache
  • A "gratuitous ARP" is an ARP reply that nobody asked for — it's meant for legitimate cache updates, but attackers exploit it

The attack:

  1. Attacker sends a gratuitous ARP: "IP 10.0.0.1 (the gateway) is at MAC aa:bb:cc:dd:ee:ff (the attacker)"
  2. All hosts on the subnet update their ARP table: gateway IP → attacker's MAC
  3. All traffic intended for the gateway now goes to the attacker
  4. The attacker forwards it to the real gateway (maintaining connectivity) → man-in-the-middle

Tools that do this trivially: arpspoof, ettercap, Cain & Abel, BetterCAP

IPv6 equivalent: IPv6 doesn't use ARP — it uses ICMPv6 (Internet Control Message Protocol version 6) Neighbor Discovery. But IPv6 has similar vulnerabilities via Neighbor Advertisement spoofing. IPv6 includes strategies to mitigate this.

Mitigation: Dynamic ARP Inspection (DAI) — validates ARP packets on untrusted ports against the DHCP (Dynamic Host Configuration Protocol) snooping binding table. If the source IP/MAC in the ARP doesn't match the binding → the packet is dropped.

Go deeper:

  • doc ARP spoofing (Wikipedia) — how forged replies bind the attacker's MAC to the gateway IP for MITM (Man-in-the-Middle), and why stateless ARP caching makes hosts vulnerable.
  • doc RFC 826 — Address Resolution Protocol — the original spec showing ARP has no authentication of replies, the root cause of the vulnerability.

From Quiz: NETW2 / LAN Security Concepts | Updated: Jul 05, 2026