Address Resolution Protocol Poisoning

Definition of Address Resolution Protocol Poisoning

Address Resolution Protocol (ARP) Poisoning, also known as ARP spoofing, is a cyber attack technique where an attacker sends falsified ARP messages to manipulate the IP-to-MAC address mapping within a network. This enables the attacker to intercept or alter network traffic, or even launch denial-of-service attacks. In doing so, the attacker gains unauthorized access to the victim’s data and disrupts their normal communication processes.


Here’s the phonetic transcription of ‘Address Resolution Protocol Poisoning’:/əˈdrɛs ˌrɛzəˈluʃən ˈprəʊtəkəl ˈpɔɪzənɪŋ/

Key Takeaways

  1. Address Resolution Protocol (ARP) Poisoning, also known as ARP Spoofing, is a cyber attack that targets local area networks (LANs) by exploiting the ARP protocol to intercept and modify data packets exchanged between devices.
  2. This type of attack allows hackers to access sensitive information, intercept network traffic, launch denial of service (DoS) attacks, or conduct man-in-the-middle (MITM) attacks by impersonating legitimate devices on the network.
  3. Preventing ARP Poisoning involves implementing security measures such as using static ARP entries, network segmentation, a secure Dynamic Host Configuration Protocol (DHCP) configuration, and utilizing intrusion detection and prevention systems (IDS/IPS) to identify and block suspicious activities.

Importance of Address Resolution Protocol Poisoning

Address Resolution Protocol (ARP) poisoning is an essential term in technology as it represents a significant security concern within computer networks.

It refers to a malicious technique in which attackers exploit the communication process between network devices to intercept and manipulate data transmissions by sending out falsified ARP messages.

By associating their own MAC address with the IP address of another device, such as a default gateway or server, the attacker can effectively redirect traffic intended for the victim to their own device, ultimately putting sensitive information at risk.

ARP poisoning is crucial to understand as it highlights the need for network administrators to actively secure systems against such cyber threats while also emphasizing the importance of implementing robust intrusion detection and prevention measures.


Address Resolution Protocol (ARP) poisoning, also known as ARP spoofing or ARP cache poisoning, is a prominent cybersecurity attack technique that cybercriminals use to intercept and manipulate network traffic. The primary purpose of ARP poisoning is to deceive computer systems and devices within a local area network, by sending falsified ARP messages which associate the attacker’s MAC address to the IP address of a legitimate network entity.

This deceitful association allows the attacker to effectively intercept, modify, or block data packets that were originally intended for the legitimate user within the network, facilitating various malicious actions such as eavesdropping, man-in-the-middle attacks, denial of service, or data theft. The effectiveness of ARP poisoning stems from the inherent trust-based nature of the ARP protocol itself, which lacks security measures to verify the authenticity of ARP messages.

When a device in a network intends to communicate with another device, it relies on the information stored by the ARP cache, which maps IP addresses to corresponding MAC addresses. However, without proper security measures, the ARP cache can be easily manipulated by attackers with malicious ARP messages, leading to erroneous data routing and unauthorized access to sensitive information.

To mitigate and prevent ARP poisoning attacks, network administrators employ various countermeasures, such as the implementation of robust intrusion detection systems, static ARP tables, or employing secure communication protocols like IPSec.

Examples of Address Resolution Protocol Poisoning

Address Resolution Protocol (ARP) Poisoning, also known as ARP Spoofing, is a cyber attack technique that involves sending fake ARP messages to a target system or networks, with the intention of associating the attacker’s MAC address with the IP address of another device, such as the default gateway or a specific target. This can lead to various nefarious activities, including data interception, denial of service, or man-in-the-middle (MITM) attacks. Here are three real-world examples of ARP Poisoning:

Turla APT Group:In 2014, the Turla Advanced Persistent Threat (APT) group, a cyber-espionage group with suspected ties to the Russian government, used ARP poisoning to compromise diplomatic institutions and government organizations across the globe. They began by infecting specific targets with malware that enabled the attackers to perform ARP poisoning on the local network. This allowed them to intercept network traffic, gain unauthorized access to sensitive information, and compromise other systems within that network.

Ettercap:Ettercap is an open-source network security tool used for man-in-the-middle attacks on LAN. One of its prominent features is the capability to perform ARP poisoning. While Ettercap itself is not malicious and serves as a tool for network security professionals, it can be exploited by attackers with malicious intentions. Some attackers use Ettercap to perform ARP poisoning, allowing them to intercept traffic between two devices and steal sensitive information, such as login credentials or financial data.

The ‘KRACK’ Attack:In 2017, researchers discovered a vulnerability in the WPA2 security protocol, which is widely used to secure Wi-Fi connections. The Key Reinstallation Attack (KRACK) leveraged the ARP poisoning technique to exploit this weakness. By sending fake ARP packets, attackers could trick devices into reinstalling an encryption key that was already in use, making it possible to decrypt the network traffic between the targeted device and the wireless access point. This could lead to eavesdropping on personal information, stealing login credentials, or manipulating data being transmitted over the network.

FAQ – Address Resolution Protocol Poisoning

1. What is Address Resolution Protocol (ARP) Poisoning?

Address Resolution Protocol (ARP) Poisoning, also known as ARP Spoofing, is a cyber attack technique that exploits the ARP protocol. It allows an attacker to send fake ARP messages to the local network, which leads to the linking of the attacker’s MAC address with another device’s IP address. As a result, data intended for the original device is rerouted to the attacker’s device, leading to potential data theft, network traffic interception, or other malicious activities.

2. How does ARP Poisoning work?

ARP Poisoning works by sending fake ARP requests or responses to a local network. The attacker forges a request claiming to be from a different device, such as a router, causing other devices on the network to update their ARP cache with the attacker’s MAC address. When the devices try to communicate with the target IP, they mistakenly send data to the attacker’s device instead, effectively hijacking the connection.

3. What are some symptoms of ARP Poisoning?

Some common symptoms of ARP Poisoning include increased network latency, unexplained data loss, IP address conflicts, and unusual ARP traffic. These symptoms may indicate that a device on the network is processing or intercepting traffic intended for another device.

4. What can you do to prevent ARP Poisoning?

Some measures you can take to prevent ARP Poisoning include implementing static ARP entries, deploying a network security solution such as aIDS/IPS, implementing dynamic ARP inspection (DAI) on switches, using private VLANs, using cryptographic methods like IPsec or SSH to encrypt sensitive network communication, and regularly monitoring network traffic for unusual or suspect activity.

5. How can you detect and mitigate ARP Poisoning attacks?

Detection of ARP Poisoning can be achieved using network monitoring tools that analyze ARP traffic for inconsistencies or suspicious patterns. Additionally, IDS/IPS systems can provide alerts when an ARP Poisoning attack is detected. To mitigate an ongoing attack, you can remove the attacker’s MAC address from the affected devices’ ARP caches, implement security measures mentioned previously, and isolate the compromised device from the network until the issue is resolved.

Related Technology Terms


  • ARP Cache Poisoning
  • MITM (Man-in-the-middle) attack
  • MAC Address Spoofing
  • ARP Table
  • Network Security


Sources for More Information

  • Techopedia –
  • GeeksforGeeks –
  • Wikipedia –
  • Imperva –

Table of Contents