What's the difference between ARP poisoning at L2 and DNS spoofing at L7, and why are they often combined in an attack?
ARP poisoning gets you on the path (L2 redirect). DNS spoofing tells the victim where to go (L7 redirect). Combined, the attacker controls both routing and naming.
* The full attack chain from recon to credential capture. *
* ARP at L2 is the vehicle; DNS at L7 is the payload. *
The two-layer combo:
| Layer | Attack | What it does |
|---|---|---|
| L2 | ARP poisoning | Force traffic through attacker |
| L7 | DNS spoofing | Make bank.com resolve to attacker's IP |
Why both are needed for this scenario:
ARP alone (without DNS spoofing):
- Victim still resolves
mycampus.hslu.chto the real IP via legit DNS - Even though traffic flows through attacker, the attacker is just a passive sniffer
- HTTPS prevents reading the data
- Attacker sees encrypted traffic to the real server — useless
DNS alone (without ARP poisoning):
- Hard to do unless attacker controls a DNS server upstream
- A typical local network DNS isn't exposed for direct spoofing
- The classic Kaminsky attack targets recursive resolvers, not local LAN
The combo:
- ARP makes you in-path → can intercept DNS queries
- You forge DNS replies for specific domains → victim connects to YOUR server
- Your server hosts a fake page → captures plaintext credentials
The full attack chain:
1. Nmap → identify victim & gateway
2. Enable IP forwarding → become a transparent router
3. arpspoof → poison both directions
4. Wireshark → confirm traffic is flowing through
5. ettercap with dns_spoof → forge DNS replies for mycampus.hslu.ch
6. httrack → clone the real login page
7. Apache → host the fake page on the attacker's box
8. Modify form action → credentials POST to attacker
9. Victim browses to mycampus.hslu.ch → DNS lies → connects to fake site
10. Victim logs in → attacker captures credentials
The key insight:
This is defense in depth in reverse — the attacker layers attacks across OSI layers because defenders layer protections across them. To bypass HTTPS at L7, you sometimes need to manipulate DNS at L7 (instead). Each defense raises the bar; this attack works because the target uses HTTP (for clarity), no DAI, no DNSSEC, no MFA.
Why MFA breaks the chain:
Even with all of the above succeeding, MFA at the real server keeps the attacker out — they have the password but not the second factor. This is exactly why HSLU added MFA recently.
Tip: When evaluating defenses, walk through every layer: physical, link, network, transport, application. Each layer's mitigation only protects that layer's threats. Defense in depth = mitigations at every layer.
Go deeper:
DNS spoofing (Wikipedia) — the L7 redirect half: forging name resolution, and the DNSSEC/HTTPS defenses.