What is ARP spoofing and what does it let an attacker do?
The attacker forges ARP replies that map a victim's IP address to the attacker's MAC, so traffic on the local network gets delivered to the attacker instead.
ARP (Address Resolution Protocol) lives at the Link layer — it answers "who has IP 192.168.1.1?" with a MAC address. The protocol has no authentication: whoever shouts the loudest, latest answer wins.
Attack flow:
- Attacker sends gratuitous ARP replies to the victim claiming "192.168.1.1 (the router) is at MAC CC:CC:CC:CC:CC:CC" (the attacker's MAC).
- Attacker also tells the router that the victim's IP is at the same CC MAC.
- All traffic between victim and router now flows through the attacker — classic Man-in-the-Middle.
Consequences: sniffing plaintext credentials, downgrading TLS (sslstrip), injecting content into HTTP responses, blackholing traffic for DoS.
Mitigations: static ARP entries, Dynamic ARP Inspection on managed switches, 802.1X port authentication, or simply not trusting the local network (use TLS everywhere).
Tip: ARP spoofing only works on the same LAN segment — that's why hotel/airport Wi-Fi is dangerous and your work VPN over coffee shop Wi-Fi is sensible.