Operations and securityIntermediate32 min read

What Is ARP poisoning? Security Definition

Reviewed byJohnson Ajibi· Senior Network & Security Engineer · MSc IT Security

This page mentions older exam versions. See the Current Exam Context and Legacy Exam Context sections below for the updated mapping.

On This Page

Quick Definition

ARP poisoning is a cyberattack that tricks devices on a network into sending data to the wrong place. The attacker sends false messages that link their device’s physical address to a trusted IP address. This lets them secretly see or steal information meant for someone else. It is a common problem on local networks like Wi-Fi and Ethernet.

Common Commands & Configuration

arpspoof -i eth0 -t 192.168.1.10 192.168.1.1

Sends forged ARP replies to target 192.168.1.10, telling it that the attacker's MAC is the gateway (192.168.1.1). Used for on-path attacks on a local Ethernet segment.

Tests understanding of the attack syntax and MAC spoofing. Exam questions often ask which tool is used for ARP spoofing (arpspoof from dsniff suite).

echo 1 > /proc/sys/net/ipv4/ip_forward

Enables IP forwarding on the attacker machine so intercepted traffic is forwarded to the real gateway, preventing a denial-of-service condition during the attack.

Exams test that disabling this causes a denial-of-service. The command itself is a classic step in ARP poisoning setup.

arp -a

Displays the current ARP cache on Windows/Linux. Admin can spot inconsistencies, like duplicate IP entries with different MAC addresses.

Frequently used in exam scenarios to detect ARP poisoning anomalies. Questions ask what command shows ARP table entries.

ip neigh

Linux equivalent of 'arp -a'. Shows neighbor table with IP-MAC mappings. Useful for verifying ARP entries after clearing or during troubleshooting.

Cisco/CompTIA exams emphasize this for network+ and linux-based tools. Questions compare 'ip neigh' vs 'arp -a'.

arp -d 192.168.1.1

Deletes a single ARP cache entry for 192.168.1.1. Used to force a fresh ARP resolution after a poisoning attack has been stopped.

Exams test that clearing the ARP cache restores communication. Often appears in remediation steps.

sudo arp -s 192.168.1.1 00:11:22:33:44:55

Manually adds a static ARP entry for the gateway. Prevents the entry from being overwritten by spoofed ARP replies.

Security+ and CCNA ask about static ARP as a mitigation. The command specifically uses the -s flag on Linux.

ettercap -T -M arp /192.168.1.1// /192.168.1.10//

Performs ARP poisoning with Ettercap in text mode between the gateway and a target. Intercepts traffic for MITM.

Ettercap is a common exam tool. The -M arp flag is specifically for MITM ARP poisoning.

ARP poisoning appears directly in 8exam-style practice questions in Courseiva's question bank — one of the most-tested concepts on CompTIA Security+. Practise them →

Must Know for Exams

ARP poisoning is a recurring topic across multiple IT certification exams because it represents a fundamental network security threat that bridges Layer 2 and Layer 3 concepts. The depth of coverage varies by exam, but the core mechanisms, attack vectors, and defenses are essential knowledge.

On the CompTIA Network+ (N10-008/009), ARP poisoning appears under the domain of Network Security. Candidates must understand the concepts of man-in-the-middle attacks, ARP spoofing, and the importance of switch security features like port security and DHCP snooping. Exam questions may ask you to identify the type of attack based on a scenario, or to select the best mitigation technique. You might see a question like, “A user reports that they cannot access the internet, but other users on the same switch can. A network administrator notices that the switch’s MAC address table shows multiple MAC addresses on a single port. What is the most likely cause?” The answer could involve ARP poisoning or MAC flooding.

On the CompTIA Security+ (SY0-701), ARP poisoning is covered under attacks and vulnerabilities, specifically within the category of network-based attacks. It is often grouped with on-path attacks (formerly MITM), DNS poisoning, and DHCP spoofing. You need to know not only what the attack does, but also how to prevent it using encryption, secure protocols (like IPsec), and network segmentation. Questions may present a scenario where a user on a public Wi-Fi network has their session hijacked, and you must identify that ARP poisoning was the enabling technique.

On the Cisco CCNA (200-301), ARP poisoning is discussed in the context of switch security and mitigation techniques. The CCNA expects you to know how to configure Dynamic ARP Inspection (DAI) and DHCP snooping on Cisco switches. You may be asked to interpret show commands that reveal suspicious ARP entries or to configure a switch to drop invalid ARP packets. A typical question might be, “An administrator wants to prevent ARP spoofing attacks on a VLAN. Which two features should be implemented?” The answer is DHCP snooping and dynamic ARP inspection.

On the AWS Solutions Architect (SAA-C03), ARP poisoning is not explicitly listed as an objective, but the underlying principle is relevant when designing secure VPCs. Since AWS manages the underlying network infrastructure, ARP attacks are not possible within an AWS VPC. However, the concept helps you understand why you should not assume that on-premises LAN security is the same as cloud security. Questions might test your understanding of security groups, network ACLs, and the shared responsibility model, but ARP poisoning itself is unlikely to appear directly.

On the Azure AZ-104, ARP poisoning is similarly not a direct objective, but understanding how virtual networks are isolated can help you answer questions about Azure networking security. The exam may ask about Azure Firewall, Network Security Groups, and the importance of using encrypted protocols.

On the Google ACE (Cloud Engineer), the focus is on cloud networking and VPC design. Again, ARP poisoning is not a direct exam topic, but the broader concept of network segmentation and encryption is relevant.

In all these exams, the key is to know that ARP poisoning is a Layer 2 attack limited to a single broadcast domain. Defenses include static ARP entries, DAI, DHCP snooping, switch port security, and encryption. You should also be able to recognize scenarios: multiple devices on the same subnet, a user reports intermittent connectivity, a packet capture shows unexpected ARP replies, or a security audit reveals a successful MITM on the LAN. Expect multiple-choice questions, drag-and-drop , and scenario-based items that test your ability to both identify and mitigate ARP poisoning.

Simple Meaning

Imagine you live in a neighborhood where every house has a street address (like an IP address) and a family name (like a MAC address). Normally, when the mail carrier delivers a package, they check a list that tells them which family lives at which address. That list is updated whenever someone new moves in.

Now, imagine a dishonest neighbor sneaks in at night and changes the list. They erase your family name from your address and write their own name instead. From that point on, all your packages, letters, bills, birthday gifts, get delivered to their house. They open your mail, read your letters, and maybe even change the contents before sending them on their way to you (if they send them at all). That is exactly what ARP poisoning does, but on a computer network instead of a street.

ARP, which stands for Address Resolution Protocol, is the system that maps IP addresses (like street addresses) to MAC addresses (like family names). Every device on a local network uses ARP to ask, “Who has this IP address?” The device with that IP responds with its MAC address. This exchange is stored in a small table called the ARP cache so the device remembers where to send data next time.

During an ARP poisoning attack, a bad actor sends fake ARP replies to the devices on the network. The attacker claims that a certain IP address, for example, the IP of the network router or a server, belongs to the attacker’s own MAC address. The victim devices believe these false messages and update their ARP cache with the wrong information. Now, when the victims try to send data to the router or server, the data actually goes to the attacker’s computer first.

Once the data reaches the attacker, they can do several things. They can quietly read the data and forward it to the real destination, a technique called sniffing. They can change the data before sending it on, which is called a man-in-the-middle attack. Or they can simply not forward the data at all, causing the network connection to break, which is a denial-of-service attack.

ARP poisoning is dangerous because ARP itself was designed for trust. There is no built-in security to check whether an ARP reply is genuine. Any device on the same local network can make false claims about IP-to-MAC mappings. This is why securing local networks is so important, especially in places like coffee shops, offices, or school networks where many different people connect to the same Wi-Fi.

You may have heard of attacks where someone steals passwords on public Wi-Fi. ARP poisoning is often the first step in such attacks. The attacker first poisons the ARP cache of the victim and the router, placing themselves in the middle of the communication. Once they are in the middle, they can capture login credentials, session tokens, or any unencrypted information. This is why using encrypted connections like HTTPS or a VPN is critical on any network you do not fully control.

In short, ARP poisoning is a trick that exploits the trusting nature of a basic network protocol. It allows an attacker on the same local network to redirect data meant for someone else. Understanding this concept helps you grasp why network segmentation, encryption, and security tools like dynamic ARP inspection are necessary in both home and business networks.

Full Technical Definition

ARP poisoning, also known as ARP spoofing, is a network attack in which an attacker sends falsified Address Resolution Protocol (ARP) messages onto a Local Area Network (LAN). The goal is to associate the attacker’s MAC address with the IP address of a legitimate network device, such as the default gateway or a server. This causes traffic intended for that legitimate device to be redirected to the attacker, enabling interception, modification, or disruption of network communications.

The Address Resolution Protocol is defined in RFC 826. It operates at the link layer (Layer 2) of the OSI model and is used to map a network-layer address (IPv4 address) to a physical hardware address (MAC address). When a device needs to communicate with another device on the same LAN, it first checks its ARP cache, a table stored in memory that contains recent IP-to-MAC mappings. If no entry exists, the device broadcasts an ARP request packet to the entire network, asking, “Who has IP address X?” The device that owns that IP responds with an ARP reply containing its MAC address. The requesting device then stores this mapping in its ARP cache for future use.

The fundamental vulnerability exploited in ARP poisoning is that ARP is stateless and does not authenticate the validity of ARP replies. A device will accept an ARP reply even if it never sent a corresponding request. This allows an attacker to send unsolicited ARP replies, often called gratuitous ARP, to inject false entries into the ARP caches of other devices on the same broadcast domain.

A typical ARP poisoning attack follows these steps. First, the attacker identifies the IP addresses of the target victim and the default gateway on the local network. Using a tool such as Ettercap, Bettercap, Arpspoof (from the dsniff suite), or Cain & Abel, the attacker begins sending falsified ARP replies. To the victim, the attacker sends an ARP reply that maps the gateway’s IP address to the attacker’s MAC address. To the gateway, the attacker sends an ARP reply that maps the victim’s IP address to the attacker’s MAC address. Both the victim and the gateway update their ARP caches with the false mappings. As a result, the victim sends outgoing traffic to the attacker, thinking it is the gateway, and the gateway sends incoming traffic for the victim to the attacker. The attacker then forwards packets between the two parties, acting as a man-in-the-middle (MITM). This is often called a “two-way” or “bidirectional” ARP poisoning.

Once the attacker is in the middle, they can perform several malicious actions. Packet sniffing allows them to capture and analyze all unencrypted traffic, including usernames, passwords, emails, and HTTP session cookies. Session hijacking is possible if the attacker steals a session token and impersonates the victim. Data modification occurs when the attacker intercepts traffic, alters the payload, and forwards it to the recipient, for example, changing the destination account number in a financial transaction. Denial of service (DoS) can be achieved by simply not forwarding the traffic after poisoning, effectively cutting the victim off from the network.

ARP poisoning is typically limited to a single broadcast domain (a VLAN or a subnet). Attacks cannot cross routers since routers do not forward ARP broadcasts. However, within a VLAN, every device is vulnerable. Network switches do not inherently prevent ARP poisoning; even managed switches forward ARP broadcasts to all ports within a VLAN unless port security or dynamic ARP inspection (DAI) is configured.

Defenses against ARP poisoning include several techniques. Static ARP entries manually hardcode IP-to-MAC mappings in critical devices, but this is not scalable. Dynamic ARP Inspection (DAI) on managed switches examines ARP packets and validates them against a trusted DHCP snooping binding table, dropping invalid ARP replies. DAI is a feature commonly found in Cisco switches and is recommended as a best practice for enterprise networks. Port security can limit the number of MAC addresses allowed on a switch port, making it harder for an attacker to use multiple MACs. Network segmentation using VLANs and separate subnets reduces the attack surface by limiting the number of devices in a broadcast domain. Encryption at higher layers, such as HTTPS, TLS, and SSH, prevents attackers from reading captured data even if ARP poisoning occurs. VPNs also provide a secure tunnel, but they do not prevent the attack on the local network.

In real IT implementations, ARP poisoning is a common first step in penetration testing and red team exercises. It is used to demonstrate the need for network security controls. Professionals are expected to both understand how to execute the attack for testing and how to configure defenses. On exam objectives, ARP poisoning appears in the context of network security threats, MITM attacks, and switch security features. It is especially relevant to the CompTIA Network+ and Security+, Cisco CCNA, AWS Solutions Architect (if discussing VPC design and security groups), and Azure AZ-104 (when covering virtual network security).

The attack is also related to other threats such as DNS spoofing, where false DNS responses are injected, and DHCP spoofing, where a rogue DHCP server assigns attacker-controlled IP configurations. ARP poisoning can be used to facilitate these other attacks by placing the attacker in the path of the victim’s traffic.

Overall, ARP poisoning remains a significant threat on legacy and unsecured networks. Modern operating systems implement some protections, such as ignoring unsolicited ARP replies in certain configurations, but these are not foolproof. Understanding the mechanism, the tools, and the mitigations is essential for any IT professional responsible for network security.

Real-Life Example

Think of a busy post office in a large apartment building. Each apartment has a room number (like an IP address) and a mailbox with a key (like a MAC address). The post office keeps a big directory that lists which mailbox key belongs to which room number. Every day, mail is sorted according to this directory.

Now, imagine someone in the building wants to steal your mail. They sneak into the post office overnight and change the directory. They erase the note that says “Room 101’s mail goes to mailbox 7” and write “Room 101’s mail goes to mailbox 12”, which is their own mailbox. They do the same for Room 102, making incoming mail for that room also go to their mailbox. Now, all your letters, packages, and bills get delivered to the thief’s mailbox instead of yours.

Every morning, the thief opens the mailbox, reads your letters, and decides what to do. They might copy your bank statement and put it back in your mailbox. They might take a check and change the amount. Or they might just throw everything away, and you never receive any mail. The post office never checks whether the directory is correct, because they trust that nobody would tamper with it.

This is exactly how ARP poisoning works on a computer network. The “post office” is the ARP cache in each device on the network. The “directory” is the list of IP addresses matched to MAC addresses. The “mail” is the data packets traveling across the network. The thief is an attacker who sends fake ARP messages to update the directory on your computer and on the router. Once the directory is poisoned, all your network traffic, your emails, web browsing, file transfers, gets sent to the attacker first.

The attacker can then inspect everything. If you are logging into your bank website without HTTPS, they can see your username and password. If you are downloading a document, they can intercept it and modify it. Because the network protocol itself does not verify that the change is allowed, the attack can continue until someone notices something wrong, such as slow internet or connection failures.

This analogy highlights why ARP poisoning is so dangerous on public Wi-Fi networks. At a coffee shop, anyone can connect to the same local network and run a simple tool to start poisoning the ARP cache of every other user. Without encryption or network security, all that mail is essentially delivered to the wrong mailbox.

Why This Term Matters

ARP poisoning matters because it is one of the most common and dangerous attacks that can happen on a local network, and it often serves as the stepping stone for more severe exploits. For IT professionals, understanding ARP poisoning is essential for defending networks, especially in environments where multiple users share the same broadcast domain, such as office LANs, school labs, public Wi-Fi hotspots, and conference venues.

From a practical standpoint, ARP poisoning undermines the basic trust model of the Address Resolution Protocol. Since ARP has no built-in authentication, any device on the same network can claim any IP address. This makes it straightforward for attackers to position themselves between two communicating devices. Once in the middle, they can capture sensitive data like login credentials, financial information, or proprietary business files. In a corporate environment, this could lead to data breaches, regulatory fines, and loss of customer trust.

For network administrators, ARP poisoning forces the implementation of additional security measures. Features like Dynamic ARP Inspection (DAI), DHCP snooping, port security, and VLAN segmentation are not optional bells and whistles; they are necessary controls to prevent a simple attack from compromising the entire network. A single unsecured switch port could allow an attacker to launch ARP poisoning and intercept traffic across the VLAN. This is why industry standards and exam objectives emphasize these defensive technologies.

ARP poisoning highlights the importance of defense in depth. Even if an attacker successfully poisons the ARP cache, encryption at higher layers (such as HTTPS, SSH, or a VPN) can render the captured data unreadable. This means that network security is not just about preventing attacks, but also about mitigating the damage if an attack occurs. IT professionals must advocate for and enforce encryption policies, even on internal networks.

Finally, ARP poisoning remains relevant because it is easy to execute. Free and open-source tools are widely available, and many tutorials exist online. This means that even low-skilled attackers can launch ARP poisoning attacks, making it a common threat. For anyone preparing for IT certification exams like the CompTIA Network+, Security+, or CCNA, knowing how ARP poisoning works and how to stop it is a core competency. It is not a theoretical concept; it is a real-world vulnerability that demands real-world solutions.

How It Appears in Exam Questions

ARP poisoning appears in certification exam questions primarily in three patterns: scenario-based identification, mitigation selection, and configuration/troubleshooting. Understanding these patterns will help you quickly recognize the correct answer.

Scenario-based identification questions present a situation and ask you to identify the attack type. For example, “A security analyst notices that a user’s computer is sending traffic to the attacker’s MAC address instead of the default gateway. All devices are on the same VLAN. Which type of attack is occurring?” The correct answer is ARP poisoning or ARP spoofing. Key clues in the scenario include: devices on the same local network, traffic being redirected, MAC address table inconsistencies, and the attacker being able to capture unencrypted data. Sometimes the question will describe the result, such as “Users report that they can see each other’s network traffic” or “An attacker is able to intercept and modify data between the client and server.”

Another common question pattern is mitigation selection. For instance, “Which of the following would best prevent ARP spoofing attacks on a switched network?” The options might include enabling STP, implementing dynamic ARP inspection, disabling DTP, or using VTP. The correct answer is dynamic ARP inspection (DAI), often in conjunction with DHCP snooping. Some exams may also consider using static ARP entries for critical devices, but DAI is the more scalable enterprise solution. You may also see “Enable port security” as a distractor, but port security alone does not prevent ARP poisoning; it only limits the number of MAC addresses per port.

Configuration and troubleshooting questions are common in the CCNA. You might be shown output from a show ip arp or show mac address-table command. For example, “The output shows that the MAC address 00:11:22:33:44:55 is associated with two different IP addresses on the same switch port. What is the most likely cause?” The answer could be ARP poisoning if the ARP cache has been corrupted. Alternatively, you could be asked to configure a switch to drop ARP packets that do not match a DHCP snooping binding. You would need to know that the commands are ip dhcp snooping and ip arp inspection vlan [vlan-id] on Cisco switches.

Some questions combine multiple concepts. For example, “An attacker uses ARP spoofing to intercept traffic between a client and a server. The attacker then modifies the data before forwarding it. Which two additional attacks does this enable?” The answers could be session hijacking and data tampering. The question is testing whether you understand the consequences beyond the initial poisoning.

In Security+, you may see a question like, “A company’s security policy requires that all network traffic between endpoints be encrypted even though the network is segmented. An attacker is able to perform an ARP spoofing attack on the network. Which security principle does encryption address?” The answer is defense in depth, or more specifically, mitigating the impact of an attack even if the perimeter is breached.

Finally, some questions ask about the scope of the attack. “An ARP poisoning attack occurs on a network with multiple VLANs. Which of the following is true?” The correct answer is that the attack is limited to a single broadcast domain (the VLAN where the attacker resides). The attacker cannot poison ARP caches across VLANs unless there is a router or a switch configured with inter-VLAN routing that also trusts the attacker’s ARP replies.

To succeed with these questions, focus on the key characteristics: it is LAN-based, it exploits the lack of ARP authentication, it requires the attacker to be on the same subnet, and it can be mitigated by DAI, DHCP snooping, port security, or encryption. Memorize the tools used for ARP poisoning (like arpspoof, Ettercap) and the defensive features (DAI, DHCP snooping). With this knowledge, you will navigate exam questions confidently.

Practise ARP poisoning Questions

Test your understanding with exam-style practice questions.

Practise

Example Scenario

You are a junior network administrator at a small company called GreenLeaf Industries. The company has 50 employees working in one office. All computers connect to a single switch, which connects to the internet through a router (the default gateway). The router’s IP address is 192.168.1.1. One morning, employees start complaining that the internet is very slow, and some websites fail to load. A few users report seeing strange pop-ups asking for their email passwords.

You decide to investigate. You log in to a workstation and open the command prompt. You type “arp -a” to view the ARP cache. You notice something unusual: the gateway IP address 192.168.1.1 is mapped to a MAC address that does not match the router’s actual MAC address (which you have on record as AB:CD:EF:12:34:56). Instead, the ARP cache shows the gateway IP mapped to MAC address 00:1A:2B:3C:4D:5E. This is a clear sign that ARP poisoning is happening on the network.

You then check the switch’s MAC address table using a management tool. You see that the MAC address 00:1A:2B:3C:4D:5E appears on port 8, which is connected to a conference room where a guest speaker was using a laptop yesterday. The guest is no longer there, but the port is still active. You unplug the cable from port 8, and immediately employees report that the internet is working normally again.

You later inspect the conference room and find a small device plugged into the network port, a Raspberry Pi running a script to perform ARP poisoning. This device was sending fake ARP replies to every computer on the network, claiming that its MAC address was the gateway. All traffic intended for the internet was first sent to the Raspberry Pi, which then forwarded it to the real router after recording sensitive information like login credentials from unencrypted websites.

This scenario demonstrates how ARP poisoning is executed and detected. The key clue was the mismatch between the router’s MAC address and the ARP cache entry. The attack was possible because the guest port was not configured with port security or dynamic ARP inspection. As a network administrator, your response should include implementing DAI, enabling DHCP snooping, and securing unused switch ports to prevent future attacks.

Common Mistakes

Thinking ARP poisoning can be prevented by simply using a firewall on each computer.

ARP poisoning operates at Layer 2, below the IP filtering capabilities of most host-based firewalls. A firewall does not check ARP cache integrity or the validity of ARP replies.

Use switch-level defenses like Dynamic ARP Inspection (DAI) and DHCP snooping, and always encrypt traffic with HTTPS, SSH, or a VPN.

Believing that ARP poisoning only works on wired networks, not Wi-Fi.

ARP poisoning works on any network that uses ARP, including Wi-Fi networks. Wireless access points forward ARP broadcasts within the same SSID, making wireless clients just as vulnerable.

Treat all local networks, wired and wireless, as untrusted. Use encryption and network segmentation regardless of the physical medium.

Assuming that a switch automatically stops ARP poisoning because it is smarter than a hub.

A switch forwards ARP broadcasts to all ports in a VLAN, just like a hub. An attacker can still send a unicast ARP reply directly to a victim, and the switch will forward it. The switch alone does not validate ARP messages.

Configure Dynamic ARP Inspection on managed switches to intercept and validate ARP packets.

Thinking that ARP poisoning only affects the victim, not the attacker’s own device.

In a typical two-way poisoning, the attacker also poisons their own ARP cache to ensure proper forwarding. The attacker’s network performance may degrade, but they are not immune. Tools manage this automatically.

Do not assume the attacker’s device is safe. The focus should be on preventing the attack at the switch level.

Confusing ARP poisoning with MAC flooding or MAC spoofing.

MAC flooding overwhelms a switch’s MAC address table, turning it into a hub. MAC spoofing is changing one’s own MAC address. ARP poisoning specifically targets the ARP cache with falsified IP-to-MAC mappings.

Remember: ARP poisoning = fake ARP replies. MAC flooding = filling the switch table. MAC spoofing = impersonating a MAC address.

Believing that using a VPN makes you immune to ARP poisoning.

A VPN encrypts traffic between your device and the VPN server, which prevents the attacker from reading your data. However, the ARP poisoning itself still happens; the attacker can still intercept your traffic, but they cannot decrypt it. They could also drop the traffic, causing denial of service.

Use VPNs for encryption, but also implement DAI and port security to stop the attack at the network layer.

Thinking ARP poisoning is only possible with special tools or advanced knowledge.

Simple tools like arpspoof, Cain & Abel, and Ettercap have graphical interfaces and one-click operations. Even beginners can launch an ARP poisoning attack with minimal setup.

Do not underestimate this threat. Implement proper network security controls even if you think no one on your network has technical skills.

Exam Trap — Don't Get Fooled

{"trap":"An exam question describes a scenario where an attacker uses ARP poisoning to intercept traffic, and asks for the best mitigation. The options include: A) Enable STP, B) Disable CDP, C) Implement dynamic ARP inspection, D) Use a VPN. The trap is that many learners will choose D (Use a VPN) because they know VPNs encrypt traffic, but the question asks for the best mitigation to prevent the attack itself."

,"why_learners_choose_it":"Learners often think about data protection and immediately pick VPN because it is a common security tool. They do not carefully read that the question asks for mitigation of the attack, not the impact.","how_to_avoid_it":"Read the question closely.

If it asks for preventing ARP poisoning, the answer is a Layer 2 control like Dynamic ARP Inspection. If it asks for protecting the data if an attack occurs, then a VPN is appropriate. Always identify what the question is asking: prevent the attack or minimize the damage."

Commonly Confused With

ARP poisoningvsDNS poisoning

DNS poisoning (or DNS spoofing) involves corrupting the DNS resolver cache with false IP address mappings for domain names. It affects name resolution across the internet. ARP poisoning affects MAC address mappings on a local network. Both are man-in-the-middle techniques, but they operate at different layers (Application vs Link).

DNS poisoning makes you go to a fake banking website when you type the bank’s real URL. ARP poisoning makes your computer send traffic to a fake router on the same Wi-Fi network.

ARP poisoningvsMAC flooding

MAC flooding is an attack where an attacker sends many frames with different MAC addresses to overflow a switch’s MAC address table, causing it to act like a hub and broadcast traffic to all ports. ARP poising targets the ARP cache of devices, not the switch table, and uses fake ARP replies rather than flooding.

MAC flooding is like throwing so many letters at the post office that they give up and start showing everyone all the mail. ARP poisoning is like changing a single address label on a specific envelope.

ARP poisoningvsMAC spoofing

MAC spoofing is when a device manually changes its own MAC address to impersonate another device. ARP poisoning does not require changing the attacker’s MAC address; instead, the attacker sends false ARP mappings that link their existing MAC to a different IP address.

MAC spoofing is like putting on a fake name badge to look like someone else. ARP poisoning is like telling everyone that your office number is the CEO’s office number, while you still wear your real badge.

ARP poisoningvsDHCP spoofing

DHCP spoofing involves a rogue DHCP server replying to clients with false IP configuration (like a fake gateway). ARP poising occurs after IP addresses have been assigned and targets the ARP cache. DHCP spoofing can lead to ARP poisoning if the fake gateway IP is used.

DHCP spoofing is like a fake help desk that gives you the wrong office number when you ask for directions. ARP poisoning is like changing the office directory after everyone has already gotten their office number.

ARP poisoningvsIP spoofing

IP spoofing is when an attacker sends packets with a forged source IP address to hide their identity or impersonate a trusted host. This works across networks. ARP poisoning is local and manipulates MAC mappings to intercept traffic, not necessarily to hide the source IP.

IP spoofing is like sending a letter with a fake return address so the reply goes to the wrong person. ARP poisoning is like bribing the mail carrier to hand over all letters for a certain address to you instead.

Step-by-Step Breakdown

1

The attacker connects to the local network

The attacker must be on the same broadcast domain (same VLAN or same unsegmented network) as the victim. This could be via wired Ethernet, Wi-Fi, or even a compromised device on the network. The attacker obtains an IP address, typically via DHCP, and identifies the network's structure.

2

The attacker identifies the victim and gateway IP addresses

Using scanning tools like Nmap or netstat, the attacker discovers active IP addresses on the network. The primary targets are the victim’s IP address and the default gateway’s IP address. The goal is to intercept traffic between these two endpoints.

3

The attacker sends a falsified ARP reply to the victim

The attacker crafts a spoofed ARP reply packet. In this packet, the sender IP is set to the gateway’s IP address, but the sender MAC is the attacker’s own MAC address. The victim receives this unsolicited reply and updates its ARP cache accordingly, now thinking the gateway is at the attacker’s MAC.

4

The attacker sends a falsified ARP reply to the gateway

Similarly, the attacker sends a spoofed ARP reply to the gateway, claiming that the victim’s IP address is now associated with the attacker’s MAC address. The gateway updates its ARP cache, believing that the victim is at the attacker’s MAC.

5

The victim and gateway redirect their traffic to the attacker

Now, when the victim tries to send data to the gateway (e.g., an internet request), the data is encapsulated in an Ethernet frame destined for the attacker’s MAC. Likewise, traffic from the gateway heading to the victim is also sent to the attacker. The attacker has inserted themselves into the communication flow.

6

The attacker can now intercept, inspect, or modify the traffic

The attacker uses packet capture tools (like Wireshark or tcpdump) to read the unencrypted payload. If the traffic is not encrypted, the attacker can extract credentials, session cookies, or other sensitive data. The attacker may also alter packets before forwarding them, performing a man-in-the-middle attack.

7

The attacker enables IP forwarding to maintain connectivity

To avoid detection, the attacker enables IP forwarding on their system (e.g., using sysctl net.ipv4.ip_forward=1 on Linux). This ensures that packets received for the victim or gateway are forwarded to the correct destination. Without forwarding, the attack would cause a denial of service, which might be more easily noticed.

8

The attack persists until the ARP caches are cleared or the attacker stops

ARP cache entries are dynamic and usually time out after a few minutes. However, the attacker can continue sending periodic spoofed ARP replies to keep the cache poisoned. The attack will only stop when the victim or gateway clears the ARP cache (e.g., by rebooting), or when the attacker disconnects or is blocked by a security mechanism.

Troubleshooting Clues

Duplicate IP address warning

Symptom: Windows popup or syslog entry stating 'Another device has used your IP address' for multiple hosts.

Attacker sends forged ARP replies mapping the same IP (e.g., gateway) to multiple MAC addresses, causing the OS to detect a conflict.

Exam clue: Exams present this as an indicator of ARP poisoning. Questions ask: 'What does a duplicate IP warning on multiple hosts suggest?'

Intermittent connectivity loss

Symptom: Users on the same switch lose connectivity to the internet or internal servers, but ping to gateway works sporadically.

ARP cache entries are being rapidly overwritten by attacker's replies, causing packets to be misdirected when the cache changes mid-session.

Exam clue: Network+ questions tie intermittent connectivity to ARP cache instability, often with a scenario involving a new 'network appliance'.

Unexpected MAC in ARP table

Symptom: Running 'arp -a' shows gateway IP mapped to a MAC address that is not the real gateway's manufacturer (OUI lookup fails).

Attacker's NIC has a different OUI. The ARP table reveals the poisoning because the MAC address doesn't match the expected hardware vendor.

Exam clue: Security+ exam uses OUI lookup questions to identify rogue devices. This is a direct clue for ARP poisoning.

Traffic not reaching external hosts

Symptom: After a poisoning attack, internal hosts can ping each other but cannot reach any external IPs even though gateway is reachable.

IP forwarding was not enabled on the attacker machine, so intercepted packets destined for external networks are dropped.

Exam clue: Exams test that missing ip_forward causes traffic disruption. Questions ask: 'Why does ARP poisoning cause a denial of service?'

High ARP traffic on local segment

Symptom: Wireshark shows thousands of unsolicited ARP replies per second from a single MAC address.

Attacker is flooding the network with fake ARP replies to ensure their MAC stays in victim caches even with default cache timeout.

Exam clue: CCNA and Net+ ask about abnormal ARP broadcast rates as a symptom. The exam scenario often describes 'ARP broadcast storm from one MAC'.

Failed SSL/TLS connections after MITM

Symptom: Users see certificate warnings or 'SSL_ERROR_BAD_CERT_DOMAIN' even on legitimate HTTPS sites.

Attacker is attempting SSL stripping or using a forged certificate, causing the browser to detect the mismatch between the real server certificate and the one presented by the attacker.

Exam clue: Security+ exams link ARP poisoning to SSL stripping. Look for questions about MITM and certificate warnings.

Switch port security violation logs

Symptom: Switch logs 'mac-address-table move' or 'port security violation' showing the same MAC moving rapidly between ports.

Attacker's MAC appears in multiple switch ports due to spoofed frames, triggering port security if configured to limit MACs per port.

Exam clue: CCNA and Network+ test that port security can detect ARP poisoning. Questions ask about 'MAC flooding' vs 'ARP spoofing' detection.

ARP cache entries not aging out

Symptom: Static ARP entries or entries that stay indefinitely without timeout, even after network changes.

Administrator manually added static entries (via 'arp -s') to prevent poisoning, but these entries do not refresh if the real gateway changes MAC.

Exam clue: CompTIA exams ask about the trade-off: static ARP prevents poisoning but causes connectivity issues if hardware changes.

Learn This Topic Fully

This glossary page explains what ARP poisoning means. For a complete lesson with labs and practice, see the topic guide.

Covered in These Exams

Current Exam Context

Current exam versions that test this topic — use these objectives when studying.

Legacy Exam Context

Older materials may mention these exam versions, but learners should use the current objectives for their target exam.

N10-008N10-009(current version)

Related Glossary Terms

Quick Knowledge Check

1.An engineer notices that a Windows workstation on the same VLAN is getting 'IP address conflict' popups. The workstation can access internal servers but not the internet. Which attack is most likely occurring?

2.After detecting ARP poisoning on a segment, a technician runs the command 'arp -d 10.0.0.1' on the affected host. What is the immediate effect?

3.Which of the following is the BEST mitigation against ARP poisoning on a switched network?

4.An attacker performing ARP poisoning fails to forward intercepted traffic to the real gateway. What is the most likely result?

5.A security analyst runs 'arp -a' and sees the gateway IP (192.168.1.1) mapped to MAC address 00:1A:2B:3C:4D:5E. The known gateway MAC is 00:50:56:AA:BB:CC. What should the analyst suspect?