LOGBOOK

HELP

Quiz Entry - updated: 2026.07.05

What is ARP spoofing and how does an attacker perform it?

A threat actor sends forged ARP replies so its own MAC gets cached for another device's IP (often the gateway), redirecting the victim's traffic to the attacker for a man-in-the-middle attack.

ARP spoofing attack flow leading to man-in-the-middle

* The attacker injects a forged reply binding its MAC to the gateway IP; the victim caches it, so victim-to-gateway traffic flows through the attacker (MitM or DoS). *

ARP Spoofing (ARP Poisoning):

A threat actor sends fake ARP replies to associate their MAC address with another device's IP address (typically the default gateway).

Attack process:

  1. Victim (A) sends ARP request: "Who has 192.168.1.1 (gateway)?"
  2. Attacker (C) responds: "192.168.1.1 is at my MAC address"
  3. Victim caches attacker's MAC for the gateway IP
  4. All traffic from victim to gateway goes to attacker instead

Attack consequences:

  • Man-in-the-Middle (MitM) - Attacker intercepts all traffic
  • Session hijacking - Attacker can steal sessions
  • Data theft - Sensitive data captured
  • Denial of Service - Attacker drops traffic instead of forwarding

Protection:

  • Dynamic ARP Inspection (DAI) on enterprise switches
  • Static ARP entries for critical devices
  • Network segmentation with VLANs

Go deeper:

  • video ARP Poisoning | Man-in-the-Middle Attack — animated walkthrough of how forged ARP replies poison a victim's cache and enable MitM.

  • doc ARP spoofing — Wikipedia on the attack mechanics, impacts (interception, MitM, DoS), and defences like DAI and static entries.

From Quiz: NETW1 / Address Resolution | Updated: Jul 05, 2026