LOGBOOK

HELP

Quiz Entry - updated: 2026.07.05

What is ARP Request Poisoning, and why does it work as a MitM technique on a LAN?

The attacker sends forged ARP replies that map their MAC address to the IP of a legitimate device (typically the gateway). Victims update their ARP cache and unknowingly send traffic to the attacker.

Attacker (ip_forward on) tells victim it's the gateway and the gateway it's the victim; traffic flows through it.

* Two-way ARP poisoning places the attacker between victim and gateway. *

LAN routing under normal conditions versus under an ARP-spoofing attack.

* LAN traffic flow, normal versus ARP-spoofed. — 0x55534C, CC BY-SA 3.0, via Wikimedia Commons. *

The attack:

Normal:   Victim → Gateway (192.168.1.1, MAC 00:11:22:AA:BB:CC)
Attack:   Attacker says "Hey victim, 192.168.1.1 is at MY MAC: AA:BB:CC:DD:EE:FF"
After:    Victim → Attacker (thinking they reached the gateway)

The two-way poisoning:

To MitM both directions, attacker must poison both sides:

Tell victim:  "192.168.1.1 (gateway) is at MY MAC"
Tell gateway: "192.168.1.42 (victim) is at MY MAC"

Both sides now route through the attacker, who forwards traffic so the connection still works.

Why it works (the design flaw):

ARP has no authentication. Any device on the LAN can send "I am the device at IP X" and other devices believe it. ARP just trusts whatever response arrives.

Worse — gratuitous ARPs:

Most OSes accept unsolicited ARP replies ("here's a mapping you didn't ask for") and update their cache. So the attacker can poison without waiting for a request.

Why it must be repeated:

ARP cache entries expire (~60 seconds typical). If the attacker stops sending forged ARPs, the cache repopulates with the real gateway → MitM ends. Tools like arpspoof send forged ARPs continuously to keep the poisoning fresh.

The command:

sudo arpspoof -i eth0 -t [victim_ip] [gateway_ip]
sudo arpspoof -i eth0 -t [gateway_ip] [victim_ip]
# OR with -r flag (bidirectional):
sudo arpspoof -i eth0 -r -t [victim_ip] [gateway_ip]

Tip: ARP poisoning only works on the same LAN segment — it can't cross routers. So an attacker must already be on your network (compromised WiFi, evil colleague, malware-infected device).

Go deeper:

From Quiz: INTROL / Man in the Middle (MitM) | Updated: Jul 05, 2026