ARP Spoofing

ARP spoofing exploits a fundamental assumption in network design: that everyone on your local network can be trusted.

The Address Resolution Protocol was built for efficiency, not security. It has no concept of lying. When your computer needs to find another device on the network, it broadcasts a question and believes whoever answers. ARP spoofing is simply answering that question dishonestly.

How ARP Works

Every device on a network has two addresses. The IP address (like 192.168.1.100) is the logical address that applications use. The MAC address (like 00:1A:2B:3C:4D:5E) is the physical address burned into the network hardware. To send data on a local network, your computer needs both—but it usually only knows the IP address.

ARP bridges this gap. When your computer wants to reach 192.168.1.100, it broadcasts an ARP request to every device on the network: "Who has 192.168.1.100? Tell me your MAC address."

The device with that IP address responds: "That's me. My MAC address is 00:1A:2B:3C:4D:5E."

Your computer stores this mapping in its ARP cache and uses it for all future communication with that IP address.

Here's the problem: ARP has no authentication. Your computer doesn't verify that the responder actually owns that IP address. It can't. The protocol simply wasn't designed with verification in mind. ARP was designed for a world where everyone on the network could be trusted. That world never existed.

The Attack

ARP spoofing sends forged ARP replies. The attacker tells victim computers: "The gateway's IP address? That's me. Send your Internet traffic to my MAC address."

The victims believe this because ARP gives them no reason not to. They update their ARP caches with the attacker's MAC address mapped to the gateway's IP address. Now when they try to reach the Internet, their traffic goes to the attacker instead.

The attacker receives this traffic, inspects or modifies it, then forwards it to the actual gateway. From the victim's perspective, everything works normally. Pages load. Emails send. But every packet passes through the attacker's machine first.

This is a man-in-the-middle position. The attacker sits invisibly between victims and their gateway, seeing everything that isn't encrypted.

What Attackers Can Do

Intercept unencrypted traffic. Anything sent without encryption—HTTP websites, unencrypted email, FTP transfers—becomes readable. Passwords, session cookies, personal data: all visible.

See metadata even for encrypted traffic. HTTPS protects content but not destinations. The attacker sees which sites you visit, when, and how much data transfers.

Hijack sessions. Intercepted authentication cookies let attackers impersonate victims on websites that accepted those cookies.

Cause denial of service. Instead of forwarding traffic, the attacker drops it. Victims think they're connected but nothing works.

Enable DNS spoofing. Controlling traffic flow makes it trivial to provide false DNS responses, directing victims to malicious sites.

Strip encryption. Combined with SSL stripping techniques, attackers can downgrade HTTPS connections to HTTP, making them readable.

Detecting ARP Spoofing

The attack leaves traces if you know where to look.

Multiple IPs mapping to one MAC. If your ARP cache shows several IP addresses all pointing to the same MAC address, someone may be claiming to be multiple devices.

Gateway MAC address changes. Your gateway's MAC address should be stable. If it suddenly changes, either the hardware was replaced or someone is spoofing it.

Excessive ARP traffic. Normal networks have occasional ARP requests and replies. Constant ARP activity, especially unsolicited replies, suggests an attack.

ARP replies without requests. Called gratuitous ARP, these can be legitimate (a device announcing itself after booting) but can also indicate spoofing.

Network monitoring tools like Wireshark can capture ARP traffic for analysis. Specialized tools like ArpWatch maintain databases of normal IP-to-MAC mappings and alert on changes.

Defending Against ARP Spoofing

Dynamic ARP Inspection (DAI) is the strongest defense. This switch feature validates ARP packets against a trusted database of IP-to-MAC bindings built from DHCP snooping. The switch only forwards ARP packets that match known-good bindings—spoofed packets get dropped before they reach victims.

Static ARP entries manually configure correct mappings for critical devices like gateways. This prevents cache poisoning for those specific entries. Practical for small networks or critical infrastructure, impractical at scale.

Network segmentation limits blast radius. ARP only works within a broadcast domain. Smaller VLANs mean fewer potential victims from any single attack position.

Port security restricts which MAC addresses can connect to which switch ports, preventing attackers from claiming arbitrary addresses.

Encryption doesn't prevent ARP spoofing but neutralizes much of its value. HTTPS protects content. VPNs encrypt everything. Attackers can still see metadata and perform denial of service, but can't read the actual data.

The Limitation That Matters

ARP spoofing requires local network access. The attacker must be on the same broadcast domain as the victims—physically connected to the network, on the same WiFi, or having compromised a machine that is.

This isn't a remote attack. It's an insider threat, or it requires first gaining local access through other means. This limits its use but doesn't eliminate the danger. Public WiFi, compromised IoT devices, malicious insiders: all provide the local access ARP spoofing requires.

Gratuitous ARP Isn't Always Malicious

Not every unsolicited ARP reply is an attack. Legitimate gratuitous ARP occurs when a device boots and announces its presence, when hardware is replaced and the MAC address changes, and when high-availability systems fail over and the backup announces it's now handling traffic for a shared IP.

Defenses must distinguish legitimate announcements from attacks—typically by maintaining trusted device databases or detecting attack patterns rather than blocking all gratuitous ARP.