This chapter covers ARP spoofing and poisoning, a fundamental network attack that exploits the Address Resolution Protocol to intercept, modify, or disrupt traffic on a local network segment. For the N10-009 exam, this topic falls under Objective 4.1 (Given a scenario, apply common security concepts to network operations) and appears in approximately 5-8% of questions. Understanding the mechanism, detection, and mitigation of ARP spoofing is critical for network security, as it underpins more complex attacks like man-in-the-middle and session hijacking.
Jump to a section
Imagine a large office building where mail is delivered based on room numbers. Each room has a designated mailbox (MAC address) and the building directory (ARP table) maps room numbers (IP addresses) to mailbox numbers. Now suppose a malicious employee, Eve, wants to intercept mail intended for the CEO in Room 101. Eve secretly changes the directory entry for Room 101 to point to her own mailbox, Room 202. When new mail arrives, the mailroom clerk sees the entry and delivers the CEO's mail to Eve. Eve reads the mail, may alter it, then forwards it to the CEO's actual mailbox to avoid detection. This is ARP spoofing: Eve poisons the ARP cache (directory) so that the switch (mailroom clerk) sends frames to the wrong MAC address. The clerk is oblivious because he only checks the directory, not the actual identity of the recipient. To scale, Eve can poison multiple entries, redirecting all traffic in the building. Defenses include static directory entries (static ARP) and verifying the directory against a trusted master list (DAI).
What is ARP and Why Does Spoofing Exist?
ARP (Address Resolution Protocol, RFC 826) is a layer 2/3 protocol used to map an IPv4 address to a MAC address on a local network segment. When a device wants to send a frame to another device on the same LAN, it needs the destination MAC address. It broadcasts an ARP request: "Who has IP 192.168.1.1? Tell 192.168.1.2." The target device responds with its MAC address. The requesting device caches this mapping in its ARP table for future use, typically for 60-300 seconds (default varies by OS: Windows 120s, Linux 60s).
ARP spoofing (also called ARP poisoning) is an attack where a malicious device sends forged ARP messages over a local network. The attacker sends fake ARP replies (or gratuitous ARPs) to associate their MAC address with the IP address of a legitimate device, such as the default gateway. Once the victim's ARP cache is poisoned, all traffic destined for that IP goes to the attacker instead. The attacker can then sniff, modify, or drop packets before forwarding them to the real destination (man-in-the-middle).
How ARP Spoofing Works: Step-by-Step Mechanism
Attacker gains access to the local network (e.g., via compromised device or rogue access point).
Attacker sends forged ARP packets to the victim and/or the gateway. The attacker sends an ARP reply (unsolicited) claiming that the gateway's IP maps to the attacker's MAC address. The victim updates its ARP cache accordingly.
Victim sends traffic intended for the gateway to the attacker's MAC address.
Attacker receives the traffic, may log or modify it, then forwards it to the real gateway (often after sending another ARP spoof to the gateway to ensure return traffic also goes through the attacker).
Bidirectional poisoning (full MITM): The attacker also poisons the gateway's ARP cache to map the victim's IP to the attacker's MAC, so return traffic flows through the attacker.
Key Components and Defaults
ARP Cache Timeout: Default values vary by OS. Windows: 120 seconds (2 minutes) for a dynamic entry. Linux: 60 seconds (default), configurable via /proc/sys/net/ipv4/neigh/default/gc_stale_time. Cisco IOS: 60-120 seconds (default 60 for dynamic entries).
Gratuitous ARP (GARP): An ARP reply sent without a corresponding request, typically used to update other hosts' ARP caches when a device's MAC changes. Attackers exploit GARP to inject false entries.
ARP Probe: Used by devices to check for IP conflicts before using an address (RFC 5227). Not directly used in typical spoofing but can detect conflicts.
Static ARP Entries: Manually configured IP-to-MAC mappings that never expire. Often used for critical devices (gateways, servers) as a mitigation against spoofing.
Configuration and Verification Commands
Linux:
- View ARP table: arp -n or ip neigh show
- Add static entry: arp -s 192.168.1.1 00:11:22:33:44:55
- Delete entry: arp -d 192.168.1.1
Windows:
- View ARP table: arp -a
- Add static entry: arp -s 192.168.1.1 00-11-22-33-44-55
- Delete entry: arp -d 192.168.1.1
Cisco IOS:
- View ARP table: show ip arp
- Add static entry: arp 192.168.1.1 0011.2233.4455 ARPA
- Clear dynamic entries: clear arp-cache
Cisco Switch (DAI configuration): - Enable DHCP snooping (required for DAI):
ip dhcp snooping
ip dhcp snooping vlan 10
interface GigabitEthernet0/1
ip dhcp snooping trustEnable DAI:
ip arp inspection vlan 10
ip arp inspection validate src-mac dst-mac ipInteraction with Related Technologies
DHCP Snooping: Often used alongside DAI. DHCP snooping builds a trusted binding database (IP, MAC, VLAN, port) by monitoring DHCP messages. DAI uses this database to validate ARP packets.
Dynamic ARP Inspection (DAI): A Cisco switch feature that intercepts ARP packets and verifies that they have valid IP-to-MAC bindings from the DHCP snooping database. Invalid ARP packets are dropped.
Port Security: Can limit the number of MAC addresses allowed on a switch port, but does not prevent ARP spoofing if the attacker uses a valid MAC.
802.1X: Provides port-based authentication, preventing unauthorized devices from connecting, but does not protect against an already authenticated device launching an ARP attack.
VLAN Segmentation: ARP spoofing is limited to the same VLAN. Segmenting networks with VLANs reduces the attack surface.
Detection of ARP Spoofing
ARP cache inspection: Look for duplicate IP entries with different MACs, or MAC addresses that don't match the expected vendor OUI.
Network monitoring tools: Wireshark can detect ARP storms or unsolicited ARP replies. Filters like arp.duplicate-address-detected or arp.opcode == 2 (reply) can help.
IDPS: Intrusion detection/prevention systems can flag abnormal ARP traffic.
Tools: arpwatch (Linux) monitors ARP table changes and alerts on anomalies. XArp (Windows) provides similar functionality.
Attacker Gains Local Access
The attacker must be connected to the same broadcast domain as the victim. This could be via a compromised workstation, a rogue access point, or a malicious insider. The attacker typically uses a tool like Ettercap, Cain & Abel, or arpspoof (part of dsniff suite). At this stage, the attacker identifies the target's IP (e.g., 192.168.1.100) and the gateway's IP (192.168.1.1) using passive sniffing or network scanning.
Send Forged ARP Reply to Victim
The attacker sends an unsolicited ARP reply (opcode 2) to the victim, mapping the gateway's IP to the attacker's MAC address. The victim's OS will update its ARP cache with this entry, overwriting any previous mapping. The victim now believes that to reach the gateway, it should send frames to the attacker's MAC. The attacker may also send gratuitous ARP packets to ensure rapid poisoning.
Send Forged ARP Reply to Gateway
For bidirectional interception, the attacker also sends an ARP reply to the gateway, mapping the victim's IP to the attacker's MAC. Now the gateway's ARP cache is poisoned as well. Any traffic from the gateway destined for the victim will be sent to the attacker. This completes the man-in-the-middle setup.
Attacker Intercepts and Forwards Traffic
The attacker receives all frames intended for the gateway from the victim and vice versa. The attacker's OS must be configured to forward IP packets (IP forwarding enabled) so that traffic is not dropped. On Linux, this is done with `sysctl net.ipv4.ip_forward=1`. The attacker can now sniff, log, modify, or drop packets. Common tools for packet manipulation include ettercap, bettercap, and mitmproxy.
Maintain Poisoning and Evade Detection
ARP cache entries are temporary. The attacker must continuously send forged ARP replies to keep the poisoned entries fresh. If the attacker stops, the victim's ARP cache will time out and re-ARP for the gateway, learning the correct MAC. To evade detection, the attacker may send replies at intervals shorter than the cache timeout (e.g., every 30 seconds on a Linux victim with 60-second timeout). Advanced attackers may also spoof the source MAC to match the legitimate gateway to avoid raising suspicion.
Enterprise Scenario 1: Insider Threat in a Corporate LAN
A large enterprise with 5,000 employees uses a flat VLAN for its internal network (VLAN 100). An employee in the finance department connects a personal laptop to the network and runs ARP spoofing tools. The goal is to intercept traffic to the company's ERP server (IP 10.10.10.50) and steal login credentials. The attacker poisons the ARP cache of the ERP server and the default gateway (10.10.10.1). Within minutes, all traffic to and from the ERP server passes through the attacker's laptop. The attacker captures plaintext credentials and sensitive financial data. The attack goes undetected for weeks because no monitoring is in place. Mitigation: Deploy Dynamic ARP Inspection (DAI) on access switches. DAI validates ARP packets against a DHCP snooping database, dropping invalid packets. Additionally, segment the network into multiple VLANs (e.g., finance, HR, IT) to limit the broadcast domain. Configure port security to limit MAC addresses per port and use 802.1X for device authentication.
Enterprise Scenario 2: Rogue DHCP Server and ARP Spoofing Combined
In a university dormitory, a student sets up a rogue DHCP server that assigns itself as the default gateway. The rogue DHCP server also performs ARP spoofing to ensure traffic flows through it. The attacker can then inject malicious content into web pages (e.g., cryptocurrency miners) or steal login credentials for online services. The campus network uses a mix of wired and wireless access. The rogue device is connected to a dormitory switch port. Because the network lacks DHCP snooping, the rogue DHCP server successfully assigns IP addresses to dozens of students. ARP spoofing reinforces the attack. Mitigation: Enable DHCP snooping on all switches to filter untrusted DHCP servers. Configure trusted ports (uplinks to legitimate DHCP servers) and untrusted ports (access ports). Also enable DAI to prevent ARP spoofing. Use network access control (NAC) to scan devices for compliance before granting access.
Scenario 3: Public Wi-Fi Hotspot Attack
A coffee shop offers free Wi-Fi using a single access point and no client isolation. An attacker sits in the shop and uses ARP spoofing to intercept traffic of other patrons. The attacker targets the default gateway (the router's IP) and poisons all clients' ARP caches. The attacker then captures unencrypted HTTP traffic, including login credentials for social media and email. The attacker can also perform SSL stripping if the victim's browser uses HTTPS. Performance consideration: The attacker's device must handle all traffic for multiple victims, which can cause latency or dropped packets if the attacker's hardware is underpowered. Mitigation: Enable client isolation (AP isolation) on the Wi-Fi access point, which prevents direct communication between wireless clients. Use HTTPS everywhere and VPNs for sensitive traffic. Network administrators should also implement DAI if the network uses managed switches.
N10-009 Exam Focus on ARP Spoofing and Poisoning
This topic is tested under Objective 4.1: "Given a scenario, apply common security concepts to network operations." Specific sub-objectives include: - 4.1.1: Implement network segmentation and isolation (VLANs, subnetting) to limit ARP spoofing scope. - 4.1.2: Apply security features such as Dynamic ARP Inspection (DAI), DHCP snooping, and port security. - 4.1.3: Recognize common attacks including ARP poisoning, man-in-the-middle, and session hijacking.
Common Wrong Answers and Why Candidates Choose Them
1. Wrong answer: "ARP spoofing can be prevented by using a firewall." Why chosen: Firewalls block IP traffic, but ARP operates at layer 2, below the firewall's scope. Firewalls typically don't inspect ARP frames. The correct mitigation is DAI or static ARP entries.
2. Wrong answer: "ARP spoofing is mitigated by using encryption like TLS." Why chosen: Encryption protects data content, but ARP spoofing still allows an attacker to intercept and drop packets, causing a denial of service. Also, the attacker can perform SSL stripping. Encryption is not a direct defense against ARP spoofing; it protects data only if the attacker cannot bypass it.
3. Wrong answer: "The attacker must be on the same IP subnet." Why chosen: This is actually correct! But some candidates think ARP works across routers. ARP is a broadcast protocol limited to the local network segment. The attacker must be in the same broadcast domain (VLAN/subnet). The exam tests this fact.
4. Wrong answer: "Static ARP entries are not effective because they expire." Why chosen: Static entries do NOT expire; they remain until manually removed. Dynamic entries expire. Candidates confuse the two. Static ARP is a valid mitigation for critical devices.
Specific Numbers, Values, and Terms on the Exam
Default ARP cache timeout: Windows 120 seconds, Linux 60 seconds, Cisco 60 seconds (dynamic).
DAI uses DHCP snooping database; DHCP snooping trust states: trusted (uplink) vs. untrusted (access).
DAI validates: source MAC, destination MAC, IP addresses.
Gratuitous ARP (GARP): used in spoofing; also used in failover clustering and VRRP.
Tools: arpspoof, Ettercap, Cain & Abel (legacy).
Edge Cases and Exceptions
ARP spoofing on wireless networks: Even with client isolation, ARP spoofing can still occur if the attacker uses a wired connection or if isolation is not properly configured.
IPv6: ARP is replaced by Neighbor Discovery Protocol (NDP). NDP spoofing is analogous but uses ICMPv6 messages (Neighbor Solicitation/Advertisement). The exam may ask about NDP spoofing as a variant.
Proxy ARP: A router responds to ARP requests on behalf of another device. This can be exploited if the router is compromised.
ARP spoofing across VLANs: Not possible directly because ARP broadcasts don't cross VLANs. However, an attacker on a trunk port could potentially poison multiple VLANs if not properly secured.
How to Eliminate Wrong Answers
If the question asks for a layer 2 attack, eliminate options that refer to layer 3 or above (e.g., DNS poisoning, IP spoofing).
If the question asks for a mitigation, look for terms like "Dynamic ARP Inspection," "DHCP snooping," or "static ARP." Avoid generic answers like "firewall" or "antivirus."
Remember that ARP spoofing requires the attacker to be on the same network segment; answers suggesting remote exploitation are incorrect.
For detection, look for tools that monitor ARP tables (arpwatch) or analyze ARP traffic (Wireshark).
ARP spoofing is a layer 2 attack that exploits the lack of authentication in ARP to associate an IP address with a different MAC address.
The attacker must be on the same broadcast domain (VLAN/subnet) as the victim.
Default ARP cache timeout: Windows 120 seconds, Linux 60 seconds, Cisco 60 seconds.
Dynamic ARP Inspection (DAI) is the primary mitigation; it validates ARP packets using a DHCP snooping binding database.
Static ARP entries provide a simple but nonscalable defense for critical devices.
Gratuitous ARP (unsolicited ARP replies) is commonly used in spoofing attacks.
IPv6 uses NDP, which is vulnerable to similar spoofing attacks (Neighbor Advertisement spoofing).
Tools like arpspoof, Ettercap, and Cain & Abel are used to perform ARP spoofing.
Detection can be done with arpwatch, Wireshark, or IDPS that monitors ARP traffic.
Segmenting networks with VLANs reduces the impact scope of ARP spoofing.
These come up on the exam all the time. Here's how to tell them apart.
Static ARP Entries
Manual configuration on each device; not scalable for large networks.
Entries never expire; immune to ARP spoofing for the configured IPs.
Requires administrative effort to update when hardware changes.
Only protects the device where configured; does not protect other hosts.
Commonly used for critical devices like routers and servers.
Dynamic ARP Inspection (DAI)
Automated validation using DHCP snooping database; scales well.
Drops invalid ARP packets; prevents spoofing on the entire VLAN.
Requires DHCP snooping to be enabled and configured properly.
Operates on the switch; protects all hosts in the VLAN.
Standard feature on Cisco switches; also available on some other vendors.
Mistake
ARP spoofing only works on unswitched networks (hubs).
Correct
ARP spoofing works on switched networks as well. Switches forward frames based on MAC addresses, but they do not validate ARP messages. An attacker can send forged ARP replies to poison the victim's cache, and the switch will happily deliver frames to the attacker's MAC address.
Mistake
Dynamic ARP Inspection (DAI) requires no other features to function.
Correct
DAI relies on a binding database built by DHCP snooping. Without DHCP snooping enabled, DAI cannot validate ARP packets and will not work effectively. Some implementations allow static bindings, but DHCP snooping is the standard prerequisite.
Mistake
Static ARP entries are a complete defense against ARP spoofing.
Correct
Static ARP entries on the victim prevent the victim from accepting forged ARP replies for that specific IP. However, if the attacker poisons the gateway's ARP cache, the gateway will still send return traffic to the attacker. Static ARP must be configured on both ends for full protection.
Mistake
ARP spoofing is only a concern for IPv4 networks.
Correct
IPv6 uses Neighbor Discovery Protocol (NDP) which is vulnerable to similar spoofing attacks (e.g., Neighbor Advertisement spoofing). NDP also has Secure Neighbor Discovery (SEND) as a mitigation, but it is not widely deployed.
Mistake
Enabling port security on a switch port prevents ARP spoofing.
Correct
Port security limits the number of MAC addresses allowed on a port and can restrict specific MACs, but it does not inspect ARP messages. An attacker can use the allowed MAC address (e.g., their own) and still perform ARP spoofing by sending forged ARP replies with that MAC.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
The terms are often used interchangeably, but technically ARP spoofing refers to the act of sending forged ARP messages, while ARP poisoning refers to the state of having a corrupted ARP cache. In practice, both terms describe the same attack. The exam may use either, so understand the concept.
No. ARP is a local network protocol and does not cross routers. ARP spoofing requires the attacker to be on the same broadcast domain (same VLAN or subnet) as the victim. However, if an attacker compromises a device on the same network, they can launch the attack from there.
DAI is a Cisco switch feature that intercepts ARP packets on untrusted ports. It checks the source MAC, destination MAC, and IP addresses against a trusted binding database built by DHCP snooping. If the packet does not match a valid binding, it is dropped. DAI also rate-limits ARP packets to prevent ARP storms.
A gratuitous ARP is an ARP reply sent without a corresponding request. It is used to update other hosts' ARP caches when a device's MAC address changes. In spoofing, the attacker sends a gratuitous ARP claiming that the gateway's IP maps to the attacker's MAC, causing victims to update their caches.
Look for duplicate IP addresses with different MACs in the ARP cache. Use tools like arpwatch (Linux) that monitor ARP table changes and send alerts. Wireshark can capture ARP traffic; look for a high rate of unsolicited ARP replies or multiple replies for the same IP from different MACs. IDPS can also flag anomalies.
HTTPS encrypts the data content, but the attacker can still intercept and drop packets (denial of service) or perform SSL stripping if the victim's browser is not careful. The attacker can also capture the encrypted traffic and attempt to decrypt it later. HTTPS is not a direct defense against ARP spoofing; you need DAI or static ARP.
DHCP snooping builds a database of legitimate IP-to-MAC bindings by monitoring DHCP messages. DAI uses this database to validate ARP packets. Without DHCP snooping, DAI cannot verify the authenticity of ARP messages. DHCP snooping also prevents rogue DHCP servers from assigning false gateway addresses.
You've just covered ARP Spoofing and Poisoning — now see how well it sticks with free N10-009 practice questions. Full explanations included, no account needed.
Done with this chapter?