What is ARP spoofing and how does an attacker perform it?
A threat actor sends forged ARP replies so its own MAC gets cached for another device's IP (often the gateway), redirecting the victim's traffic to the attacker for a man-in-the-middle attack.
* The attacker injects a forged reply binding its MAC to the gateway IP; the victim caches it, so victim-to-gateway traffic flows through the attacker (MitM or DoS). *
ARP Spoofing (ARP Poisoning):
A threat actor sends fake ARP replies to associate their MAC address with another device's IP address (typically the default gateway).
Attack process:
- Victim (A) sends ARP request: "Who has 192.168.1.1 (gateway)?"
- Attacker (C) responds: "192.168.1.1 is at my MAC address"
- Victim caches attacker's MAC for the gateway IP
- All traffic from victim to gateway goes to attacker instead
Attack consequences:
- Man-in-the-Middle (MitM) - Attacker intercepts all traffic
- Session hijacking - Attacker can steal sessions
- Data theft - Sensitive data captured
- Denial of Service - Attacker drops traffic instead of forwarding
Protection:
- Dynamic ARP Inspection (DAI) on enterprise switches
- Static ARP entries for critical devices
- Network segmentation with VLANs
Go deeper:
-
ARP Poisoning | Man-in-the-Middle Attack — animated walkthrough of how forged ARP replies poison a victim's cache and enable MitM.
-
ARP spoofing — Wikipedia on the attack mechanics, impacts (interception, MitM, DoS), and defences like DAI and static entries.