What is ARP Spoofing?
Learn what ARP spoofing is, how forged ARP replies hijack local traffic, and defenses like dynamic ARP inspection.
Expected Interview Answer
ARP spoofing (also called ARP poisoning) is an attack where a malicious device sends forged ARP replies onto a local network, falsely associating its own MAC address with another host’s IP address, so victim devices send traffic meant for that IP to the attacker instead.
ARP has no built-in authentication: any device on a broadcast domain can send an ARP reply, and receiving hosts simply trust and cache whatever mapping arrives, even without a matching request. An attacker exploits this by broadcasting forged ARP replies claiming to own, for example, the default gateway’s IP address; nearby hosts update their ARP cache to point that gateway IP at the attacker’s MAC address. From then on, victim traffic destined for the real gateway is instead sent to the attacker, who can silently forward it on (a man-in-the-middle position), drop it (denial of service), or modify it in transit. Because the attack only works within a single Layer 2 broadcast domain, it requires the attacker to already be on the same local network or VLAN as the victim. Defenses include dynamic ARP inspection on switches, static ARP entries for critical hosts, port security, and encryption (TLS) so intercepted traffic remains unreadable even if rerouted.
- Exploits ARP's lack of authentication for man-in-the-middle positioning
- Redirects traffic silently by poisoning the victim's ARP cache
- Confined to a single local broadcast domain, limiting attack scope
- Mitigated by dynamic ARP inspection, static entries, and encryption
AI Mentor Explanation
ARP spoofing is like an impostor shouting across the ground, unprompted, 'I am fielding at position 4 now,' and everyone simply updates their mental map to send throws to the impostor instead of the real fielder. Because there is no check on who is allowed to make that claim, the whole team starts misdirecting the ball based on a lie. This is exactly how a forged ARP reply hijacks traffic meant for someone else’s address without any verification.
Step-by-Step Explanation
Step 1
Send forged replies
The attacker broadcasts unsolicited ARP replies claiming to own a target IP (e.g., the gateway).
Step 2
Victims update cache
Nearby hosts trust the reply without verification and update their ARP cache to point that IP at the attacker's MAC.
Step 3
Traffic redirection
Victim traffic meant for the real IP is now sent to the attacker's machine on the local segment.
Step 4
Intercept or disrupt
The attacker relays traffic (man-in-the-middle), drops it (DoS), or modifies it before forwarding.
What Interviewer Expects
- Explains ARP's lack of authentication as the root cause
- Describes the forged-reply and cache-poisoning mechanism
- Knows the attack is confined to one local broadcast domain
- Names defenses: dynamic ARP inspection, static ARP, encryption
Common Mistakes
- Confusing ARP spoofing with DNS spoofing
- Thinking the attack can be performed from a remote, off-subnet network
- Forgetting that encryption (TLS) doesn't stop the redirect, only limits what the attacker can read
- Not naming any concrete mitigation like dynamic ARP inspection
Best Answer (HR Friendly)
“ARP spoofing is when an attacker on your local network lies about which device owns a particular IP address, tricking nearby computers into sending their traffic to the attacker instead of the real destination, like the router. It works because the ARP protocol trusts replies without checking them, and it lets the attacker snoop on or tamper with traffic — network switches and encryption are the main defenses.”
Code Example
# Watch for duplicate/conflicting MAC addresses claiming the same IP
sudo arpwatch -i eth0
# Manually inspect the ARP cache for suspicious duplicate entries
arp -a
# Pin a critical host’s IP-to-MAC mapping to prevent poisoning
sudo arp -s 192.168.1.1 00:11:22:33:44:55Follow-up Questions
- How does dynamic ARP inspection (DAI) prevent ARP spoofing?
- Why does encryption not fully protect against an ARP spoofing attack?
- What is the difference between ARP spoofing and IP spoofing?
- How can a static ARP entry help protect a critical host?
MCQ Practice
1. What makes ARP spoofing possible?
ARP has no built-in authentication, so any forged reply is accepted and cached by receiving hosts.
2. What is the scope of a typical ARP spoofing attack?
ARP spoofing only works within the same local Layer 2 broadcast domain as the victim.
3. Which switch feature helps mitigate ARP spoofing?
Dynamic ARP Inspection validates ARP packets against trusted bindings to block forged replies.
Flash Cards
What is ARP spoofing? — Sending forged ARP replies to associate an attacker's MAC with a victim IP, redirecting traffic.
Why does ARP spoofing work? — ARP replies are trusted and cached without any authentication.
Scope of ARP spoofing? — Limited to a single local broadcast domain (subnet/VLAN).
Main defenses? — Dynamic ARP inspection, static ARP entries, port security, and encryption.