Askeal Logo

ARP Poisoning

ARP Poisoning (also called ARP spoofing) is a network attack in which an adversary sends falsified ARP (Address Resolution Protocol) messages to associate their MAC address with the IP address of another host, allowing them to intercept, modify, or block traffic.

What is ARP poisoning?How it typically works?Common techniques & variantsImpactFurther reading

What is ARP poisoning?

ARP poisoning exploits weaknesses in the Address Resolution Protocol, which maps IP addresses to MAC addresses in local networks. By injecting forged ARP replies, an attacker can trick devices into sending traffic through their system, enabling man-in-the-middle (MITM) attacks, denial of service, or data theft.

How it typically works?

  1. Forging ARP replies: the attacker sends falsified ARP messages associating their MAC address with a target IP (such as the default gateway).
  2. Traffic redirection: devices update their ARP cache and unknowingly send packets to the attacker.
  3. Interception or manipulation: the attacker inspects, modifies, or blocks the traffic.

Common techniques & variants

  • Gratuitous ARP spoofing: attacker repeatedly sends fake ARP replies to maintain control of ARP cache.
  • Gateway impersonation: attacker poisons ARP tables to impersonate the network gateway.
  • Combined attacks: ARP poisoning used with DNS spoofing or MITM attacks for deeper compromise.

Impact

ARP poisoning can lead to credential theft, session hijacking, denial of service, or malware injection. Because ARP lacks authentication, local networks are inherently vulnerable if no protections are in place.

Further reading

Related topics

Man-in-the-Middle (MITM)DNS Spoofing