LOGBOOK

HELP

Quiz Entry - updated: 2026.07.14

What OSI layer does ARP poisoning operate on, and why does this make it impossible to do over the internet?

ARP operates at Layer 2 (Data Link) — within a single broadcast domain. Layer 2 doesn't traverse routers, so ARP poisoning is strictly a LAN attack.

The boundary:

Routers separate Layer-2 domains. They don't forward:

  • ARP requests/replies
  • Ethernet broadcasts
  • MAC-based traffic

So if you're on the internet trying to ARP-poison bank.com, the packets die at the first router. The attacker must be on the same LAN segment as the victim.

What this means in practice:

Attacker location ARP poisoning possible?
Same WiFi as victim (coffee shop) YES
Same office network YES
Compromised IoT device on victim's home network YES
Across the internet NO
Through a VPN tunnel NO (VPN encapsulates traffic past the LAN)

Why this is still a serious threat:

  • Public WiFi is everywhere
  • Coworkers / unhappy roommates / malware-infected neighbor devices
  • Compromised IoT devices (cameras, printers) become MitM platforms
  • Pentest scenarios require LAN access (often the first foothold after phishing)

The defense ladder:

Defense Effectiveness
Use VPN Tunnels traffic past the LAN — ARP poisoning sees only encrypted packets
HTTPS + HSTS Even if ARP-poisoned, app-layer crypto holds
Trusted networks only Home + office, never public WiFi
Wired vs WiFi Both vulnerable, but WiFi has WPA3 SAE which adds protection
DAI on switches Catches the attack in the LAN itself

Layer-2 attacks ≠ negligible:

Layer 2 is often the softest layer in enterprise networks — high-end firewalls protect L3+ but L2 is "trusted because it's inside." Many real breaches start with a malicious USB stick or rogue device on the LAN.

Tip: When traveling, always assume the network is hostile. VPN-on-connect (Auto-VPN) is one of the highest-value security configurations for laptops.

Go deeper:

From Quiz: INTROL / Man in the Middle (MitM) | Updated: Jul 14, 2026