What is ARP Request Poisoning, and why does it work as a MitM technique on a LAN?
The attacker sends forged ARP replies that map their MAC address to the IP of a legitimate device (typically the gateway). Victims update their ARP cache and unknowingly send traffic to the attacker.
* Two-way ARP poisoning places the attacker between victim and gateway. *
* LAN traffic flow, normal versus ARP-spoofed. — 0x55534C, CC BY-SA 3.0, via Wikimedia Commons. *
The attack:
Normal: Victim → Gateway (192.168.1.1, MAC 00:11:22:AA:BB:CC)
Attack: Attacker says "Hey victim, 192.168.1.1 is at MY MAC: AA:BB:CC:DD:EE:FF"
After: Victim → Attacker (thinking they reached the gateway)
The two-way poisoning:
To MitM both directions, attacker must poison both sides:
Tell victim: "192.168.1.1 (gateway) is at MY MAC"
Tell gateway: "192.168.1.42 (victim) is at MY MAC"
Both sides now route through the attacker, who forwards traffic so the connection still works.
Why it works (the design flaw):
ARP has no authentication. Any device on the LAN can send "I am the device at IP X" and other devices believe it. ARP just trusts whatever response arrives.
Worse — gratuitous ARPs:
Most OSes accept unsolicited ARP replies ("here's a mapping you didn't ask for") and update their cache. So the attacker can poison without waiting for a request.
Why it must be repeated:
ARP cache entries expire (~60 seconds typical). If the attacker stops sending forged ARPs, the cache repopulates with the real gateway → MitM ends. Tools like arpspoof send forged ARPs continuously to keep the poisoning fresh.
The command:
sudo arpspoof -i eth0 -t [victim_ip] [gateway_ip]
sudo arpspoof -i eth0 -t [gateway_ip] [victim_ip]
# OR with -r flag (bidirectional):
sudo arpspoof -i eth0 -r -t [victim_ip] [gateway_ip]
Tip: ARP poisoning only works on the same LAN segment — it can't cross routers. So an attacker must already be on your network (compromised WiFi, evil colleague, malware-infected device).
Go deeper:
ARP spoofing (Wikipedia) — the protocol flaw (no authentication), attack anatomy, and the full defense/tool tables.