This lesson explains ARP poisoning: how the Address Resolution Protocol's lack of authentication enables local man-in-the-middle attacks, step-by-step attack flow, common tools and commands, detection and mitigation strategies, and legal/ethical considerations. It covers practical commands, defensive controls (DAI, DHCP snooping, 802.1X), detection signals, and why encryption helps but isn't always sufficient.
ARP Poisoning Concepts — The Chaotic MITM That Makes Switches Cry "If IP is the address on the mailbox, ARP is the neighbor who tells you which house the mailbox actually belongs to — and ARP poisoning is bribing the neighbor with espresso to lie." You're already comfortable with N...
Quick refresher: where ARP fits in the stack ARP (Address Resolution Protocol) resolves IPv4 addresses to MAC addresses on a local broadcast domain. It's a stateless, unauthenticated protocol: friendly and gullible by design. Devices cache ARP replies in an ARP table until entries expire. ...
How ARP poisoning actually works (step-by-step) Attacker and victim are on the same L2 network (same VLAN/LAN). Switch or hub — attacker needs L2 reachability. Attacker enables IP forwarding on their machine so intercepted packets are forwarded to the real gateway. Attacker sends forged ARP re...
Attack flow cheatsheet (commands & fundamentals) Enable IP forwarding (Linux): # immediate sudo sysctl -w net.ipv4.ip_forward=1 # persistent in /etc/sysctl.conf: net.ipv4.ip_forward = 1 Common tools and quick commands: # arpspoof (dsniff suite) arpspoof -i eth0 -t 192.168.1.10 192.168.1...
Encrypted traffic? Not a problem — sometimes Even if traffic is encrypted, ARP poisoning can still be valuable. It enables SSL/TLS interception if the attacker can present a trusted certificate or the client ignores warnings (or certificate pinning is absent). It enables TLS downgrade/SSL str...
Detection — how defenders catch ARP poisoning Watch for duplicate IPs / changing MACs : arpwatch, ArpON, and IDS signatures can flag suspicious ARP activity. Monitor ARP traffic : an unusual rate of gratuitous ARP replies is a red flag. Check ARP tables : arp -a or ip neigh show — sudden chang...
Mitigation & hardening (what actually works) Defensive Measure How it helps Notes Dynamic ARP Inspection (DAI) on switches Drops ARP replies that don't match DHCP snooping bindings Best in managed switch environments Static ARP entries on critical hosts Prevents ARP updates...