ARP Poisoning: Network Manipulation

Howard Poston
Dec 15, 2023
ARP Poisoning: Network Manipulation

A computer has a few different addresses associated with it. A computer will have IP addresses associated with the network(s) that it is connected to. It also has a hardware or MAC address assigned to each of its network interface cards (NICs). IP addresses are used to get traffic to the right subnet, and then a switch might use a MAC address to send the data to the correct port and the computer attached to it.

The Address Resolution Protocol (ARP) is used to map IP addresses to MAC addresses, but it is vulnerable to attack. ARP implicitly trusts declarations that a particular IP address is connected to a certain MAC address.

In an ARP spoofing or ARP poisoning attack, an attacker uses fake ARP declarations to intercept traffic intended for someone else. This article explores the ARP poisoning threat, including how it works, some of the potential repercussions, and best practices for managing the threat of these attacks

What is ARP Poisoning?

ARP poisoning attacks involve the manipulation of ARP tables to reroute network traffic. To understand how these attacks work, it’s helpful to understand ARP in general.

IP addresses are used to route traffic across networks. However, once traffic reaches the right subnet, routing moves from layer 3 (IP addresses) to layer 2 (MAC) addresses. ARP is used to make this transition.

A switch or similar device will have multiple ports that computers can be connected to. The goal of ARP is to determine which of these ports should be used to send traffic to a particular IP address. Some key steps in this process include:

  1. The switch will check to see if it has an existing ARP entry for the IP address. If so, it will use the MAC address indicated by this entry.
  2. If no entry exists, the switch will send out an ARP request asking which computer owns the IP address. This request is broadcast to all of the computers connected to the switch.
  3. The owner of the IP address will respond to this request, providing their MAC address.
  4. The switch will send out the traffic on the indicated port and store the IP/MAC address mapping for future use.

Switches assume that only the computer that owns an IP address will respond to ARP queries about it or provide unsolicited updates to the ARP table. This creates an opportunity for attackers to poison the ARP table by sending fake replies to ARP requests or providing unsolicited updates mapping the target’s IP address to their own MAC address.

ARP spoofing is commonly used as part of a man-in-the-middle (MitM) or on-path attack. By spoofing ARP entries and redirecting the target’s traffic to their own computer, the attacker can intercept and eavesdrop on or modify the traffic en route to its intended destination.

ARP Poisoning Attack Scenarios

ARP poisoning is one method of performing a man-in-the-middle (MitM) attack. By redirecting traffic to their computer, the attacker can steal sensitive information or cause disruption.
One example of a significant ARP poisoning attack occurred against the Metasploit website in 2008. By performing ARP poisoning against the site’s router, the attacker was able to redirect visitors to the site to a page showing a message from the hacker.

However, in most cases, ARP poisoning is performed to target systems on a local network. In one application, an attacker may take advantage of the use of unencrypted or insecure network protocols. If these protocols transmit passwords or other sensitive data in an unencrypted form, the attacker can intercept these passwords and use them to gain access to the user’s account.

>ARP poisoning can also be used solely to cause disruption on a  network. By poisoning the ARP table, the attacker can confuse other systems regarding the location of a computer or the router. If this occurs, traffic to these systems is sent to the attacker’s computer, which can then forward it after a delay or drop it entirely.

What Is the Result of an ARP Poisoning Attack?

ARP poisoning attacks enable an attacker to redirect network traffic intended for a particular computer to their own system. This can have numerous potential impacts, including:

  • Intercepted Data: If the target’s communications are not encrypted, the attacker can read the traffic. This may allow the attacker to steal sensitive data such as login credentials, payment card details, personally identifiable information (PII), or intellectual property.
  • Data Manipulation: Unencrypted network traffic may also lack integrity and authenticity protections. This could permit the attacker to modify the traffic en route to its destination, manipulating the communication between the two parties.
  • Denial of Service (DoS) Attacks: ARP poisoning attacks redirect traffic from a target system to the attacker’s computer. Even if the attacker can’t read the traffic — because it’s encrypted — they can refuse to forward the traffic to its intended destination, performing a DoS attack against the victim.
  • Unauthorized Access: ARP spoofing attacks may allow an attacker to sniff login credentials from users’ traffic. With these credentials, the attacker can gain unauthorized access to corporate systems and applications.
  • Network Disruption: As part of an ARP spoofing attack, the attacker populates the switch’s ARP table with fake entries. In addition to redirecting traffic, this can disrupt network performance as traffic is inappropriately routed to the attacker’s computer.

ARP poisoning attacks are typically a threat to data confidentiality and user privacy as an attacker intercepts and eavesdrops on network communications. However, they can also threaten data integrity or availability if the attacker elects to modify the traffic en route or fails to forward it to the intended recipient.

ARP Poisoning vs. DNS Poisoning

ARP and the Domain Name Service (DNS) are both protocols used to perform translations between IP addresses and other identifiers. DNS translates domain names to IP addresses, while ARP translates IP addresses to MAC addresses.

Both of these protocols are vulnerable to poisoning attacks in which the records used to perform the translation can be modified to include false data. A DNS poisoning attack might redirect someone attempting to visit a particular domain (such as kzero.com) to an attacker-controlled IP address. ARP poisoning redirects traffic intended for a particular recipient to someone else connected to the same subnet.

DNS and ARP poisoning can redirect a user’s traffic, but they’re used in different contexts. ARP poisoning requires the attacker to have access to another system on the same subnet as the target and enables the attacker to view and control all of the victim’s network traffic. In contrast, DNS poisoning attacks can target anyone who visits a webpage with a modified DNS entry, allowing the attacker to serve phishing content, malware, or malicious ads.

ARP Poisoning Detection, Prevention, and Mitigation

ARP poisoning attacks can have dramatic impacts on an organization, its employees, and its customers. Implementing certain cybersecurity best practices can help companies detect, prevent, or mitigate ARP spoofing attacks.

Detection Strategies

ARP poisoning attacks abuse ARP to redirect the victim’s traffic to an attacker’s computer. Some methods of detecting these attacks include:

  • ARP Traffic Monitoring: ARP spoofing attacks can be detected by monitoring ARP traffic. For example, if ARP traffic contains multiple replies to a request — one from the legitimate computer and one from the attacker — or unsolicited ARP announcements, these might be signs of an ARP spoofing attack.
  • Traffic Monitoring: More generally, monitoring network traffic can help to detect ARP poisoning attacks. For example, an attacker may redirect traffic to themselves and then forward it to the intended recipient, an abnormal pattern that can be identified via traffic analysis.

Prevention Strategies

>Companies can also take steps to prevent ARP spoofing attacks from occurring in various ways. Some security best practices that minimize the threat of ARP spoofing to an organization include the following:

  • Static ARP: ARP is only used to generate mappings of IP to MAC addresses if none are available. Static ARP creates permanent mappings for certain IP addresses, preventing an attacker from redirecting traffic to these IP addresses.
  • Packet Filtering:ARP traffic should only be used within a particular subnet. Blocking all ARP messages at the subnet boundary makes it more difficult for an outside attacker to perform an ARP poisoning attack.
  • Physical Security: Generally, ARP poisoning requires physically connecting an attacker’s machine to a target switch or gaining access to an existing one. Physically securing these switches and computers makes it more difficult for an attacker to gain the necessary access.
  • Port Security: Port security limits the MAC addresses that can be used on a particular switch port. This can prevent an attacker from connecting their device to the switch and performing an ARP spoofing attack.

Mitigation Strategies

In addition to detecting and preventing attacks, companies can work to mitigate these attacks if they occur. Some means of managing the impacts of a successful ARP poisoning attack include the following:

  • Traffic Encryption: Using encrypted protocols — such as HTTPS — or a virtual private network (VPN) can mitigate the effects of ARP poisoning attacks. Even if the attacker can redirect a user’s traffic, they can’t read the contents because it is encrypted.
  • Network Segmentation: Network segmentation breaks a network into multiple isolated segments. This limits the potential impacts of an ARP poisoning attack because it reduces what an attacker can access with a compromised computer or account.
  • Patch Management: ARP spoofing attacks may allow an attacker to exploit vulnerabilities in a target system. Performing regular updates and patching helps to prevent these types of attacks.
  • Multi-Factor Authentication (MFA): ARP spoofing attacks may be used to sniff login credentials from unencrypted traffic and use these to access employee accounts. MFA makes these attacks more difficult to perform by requiring the attacker to steal or intercept multiple different types of authentication factors to gain access to a user’s account.

Legal and Ethical Implications

ARP poisoning is a type of cyberattack that primarily targets data confidentiality. The attacker manipulates and abuses the ARP protocol to redirect network traffic to their own computer, enabling them to impact data confidentiality, integrity, and availability.

Legally and ethically, ARP poisoning is a cyberattack and a misuse of computer systems. As a result, someone performing this attack may face legal action under applicable cybersecurity and data privacy regulations such as the General Data Protection Regulation (GDPR) or the California Consumer Privacy Act (CCPA). Due to the nature of the attack, they may also face legal risk due to trespassing.

Many cyberattacks have relatively low enforcement and conviction rates due to the difficulty of detecting, attributing, and prosecuting cybercrime. However, ARP poisoning attacks commonly involve exploiting physical access to a switch or similar networking device. As a result, an organization has a higher probability of detecting, apprehending, and pressing charges against someone performing ARP poisoning attacks than they would with other cyberattacks, which commonly are performed from far away using the Internet.


ARP poisoning attacks are a type of cyberattack that abuses the ARP protocol to send a user’s network traffic to an attacker by tricking a switch or similar device into thinking that the attacker is the intended recipient of the traffic. These attacks can have numerous potential impacts, including breaches of sensitive data, modification of the network traffic en route, or DoS attacks against the victim of the attack.

Organizations can take various steps to protect themselves against ARP spoofing attacks. For example, static ARP entries make it infeasible for an attacker to abuse ARP to redirect traffic. Alternatively, the use of encrypted protocols or VPNs prevents an attacker from eavesdropping on traffic or modifying it without detection.

Often, ARP poisoning attacks are geared toward stealing login credentials that are transmitted unencrypted by insecure network protocols. If breached, these credentials provide the attacker with access to corporate accounts and systems. Multi-factor authentication (MFA) helps mitigate the effects of these attacks by making it more difficult for an attacker to use a breached password to access a user’s account.

Kelvin Zero’s Multi-Pass eliminates the threat that ARP spoofing poses to an organization’s credentials. Its MFA uses factors that are immune to interception attacks and provide strong authentication of an organization’s employees or customers. Learn more about enhancing your organization’s account security with Multi-Pass today.

Howard Poston

Howard Poston is a copywriter, author, and course developer with experience in cybersecurity and blockchain security, cryptography, and malware analysis. He has an MS in Cyber Operations, a decade of experience in cybersecurity, and over five years of experience as a freelance consultant.