LOGBOOK

HELP

Quiz Entry - updated: 2026.06.26

What is ARP spoofing and what does it let an attacker do?

The attacker forges ARP replies that map a victim's IP address to the attacker's MAC, so traffic on the local network gets delivered to the attacker instead.

ARP (Address Resolution Protocol) lives at the Link layer — it answers "who has IP 192.168.1.1?" with a MAC address. The protocol has no authentication: whoever shouts the loudest, latest answer wins.

Attack flow:

  1. Attacker sends gratuitous ARP replies to the victim claiming "192.168.1.1 (the router) is at MAC CC:CC:CC:CC:CC:CC" (the attacker's MAC).
  2. Attacker also tells the router that the victim's IP is at the same CC MAC.
  3. All traffic between victim and router now flows through the attacker — classic Man-in-the-Middle.

Consequences: sniffing plaintext credentials, downgrading TLS (sslstrip), injecting content into HTTP responses, blackholing traffic for DoS.

Mitigations: static ARP entries, Dynamic ARP Inspection on managed switches, 802.1X port authentication, or simply not trusting the local network (use TLS everywhere).

Tip: ARP spoofing only works on the same LAN segment — that's why hotel/airport Wi-Fi is dangerous and your work VPN over coffee shop Wi-Fi is sensible.

From Quiz: ISF / Web Application Security Basics | Updated: Jun 26, 2026