What OSI layer does ARP poisoning operate on, and why does this make it impossible to do over the internet?
ARP operates at Layer 2 (Data Link) — within a single broadcast domain. Layer 2 doesn't traverse routers, so ARP poisoning is strictly a LAN attack.
The boundary:
Routers separate Layer-2 domains. They don't forward:
- ARP requests/replies
- Ethernet broadcasts
- MAC-based traffic
So if you're on the internet trying to ARP-poison bank.com, the packets die at the first router. The attacker must be on the same LAN segment as the victim.
What this means in practice:
| Attacker location | ARP poisoning possible? |
|---|---|
| Same WiFi as victim (coffee shop) | YES |
| Same office network | YES |
| Compromised IoT device on victim's home network | YES |
| Across the internet | NO |
| Through a VPN tunnel | NO (VPN encapsulates traffic past the LAN) |
Why this is still a serious threat:
- Public WiFi is everywhere
- Coworkers / unhappy roommates / malware-infected neighbor devices
- Compromised IoT devices (cameras, printers) become MitM platforms
- Pentest scenarios require LAN access (often the first foothold after phishing)
The defense ladder:
| Defense | Effectiveness |
|---|---|
| Use VPN | Tunnels traffic past the LAN — ARP poisoning sees only encrypted packets |
| HTTPS + HSTS | Even if ARP-poisoned, app-layer crypto holds |
| Trusted networks only | Home + office, never public WiFi |
| Wired vs WiFi | Both vulnerable, but WiFi has WPA3 SAE which adds protection |
| DAI on switches | Catches the attack in the LAN itself |
Layer-2 attacks ≠ negligible:
Layer 2 is often the softest layer in enterprise networks — high-end firewalls protect L3+ but L2 is "trusted because it's inside." Many real breaches start with a malicious USB stick or rogue device on the LAN.
Tip: When traveling, always assume the network is hostile. VPN-on-connect (Auto-VPN) is one of the highest-value security configurations for laptops.
Go deeper:
Data link layer (Wikipedia) — OSI Layer 2 and why routers terminate the broadcast domain, confining ARP locally.
Address Resolution Protocol (Wikipedia) — ARP's placement and its broadcast-based, non-routable operation.