ARP Spoofing
Table of Contents
Quick Answer
ARP spoofing, also called ARP poisoning, manipulates local IP-to-MAC address mapping so traffic may be redirected through an unintended device. Defenders reduce risk with network segmentation, switch protections, ARP monitoring, and encrypted protocols.
What is ARP Spoofing?
Address Resolution Protocol helps devices on a local network map IP addresses to MAC addresses. ARP was not designed with strong authentication, so forged or unexpected ARP messages can mislead devices about where to send local traffic.
Why ARP Matters on Local Networks
Local networks depend on accurate address mapping. If a gateway or critical host is mapped incorrectly, traffic can be redirected, interrupted, or inspected by a system that should not be in the communication path.
How ARP Spoofing Works Conceptually
Conceptually, an ARP spoofing event involves incorrect address-mapping information entering a device cache. The device then forwards traffic based on that incorrect mapping. Defensive monitoring looks for unexpected mapping changes, duplicate answers, and gateway identity changes.
ARP Spoofing and Man-in-the-Middle Risk
ARP spoofing is commonly associated with man-in-the-middle risk because it can redirect local traffic through another device. Encryption, certificate validation, network controls, and monitoring all reduce the practical impact.
Common Signs
- Multiple IP addresses mapping to one unexpected MAC address.
- Frequent gateway MAC address changes.
- Users reporting certificate warnings or connection instability.
- IDS alerts for suspicious ARP replies.
- Unusual local traffic passing through a workstation.
Detection Ideas
Use managed switch logs, ARP monitoring tools, IDS alerts, endpoint observations, and gateway MAC validation. Detection is strongest when a known-good network baseline exists.
ARP Spoofing Defensive Checklist
- Enable DHCP snooping and dynamic ARP inspection where supported.
- Segment untrusted devices from sensitive systems.
- Monitor ARP table changes on critical hosts.
- Use encrypted protocols and avoid ignoring certificate warnings.
- Protect wireless networks and do not trust public LANs.
- Investigate unexpected gateway or DNS behavior quickly.
Safe Lab Boundaries
Only study ARP behavior in a lab network you own or have permission to assess. Do not attempt traffic redirection on public, workplace, or third-party networks.
FAQs
Sources and further reading
- CISA - Securing End-to-End Communications — MITM and ARP spoofing communication-redirection context
- MITRE ATT&CK - Adversary-in-the-Middle — Defensive context for traffic interception behavior
- NIST SP 800-94 - IDS and IPS Guide — Monitoring and alerting context