What is Address Resolution Protocol (ARP) poisoning?

Cybersecurity Professional Set Rules for Key Creation

ARP is a protocol that is used to resolve IP addresses to MAC addresses (globally unique numbers). ARP poisoning also known as ARP spoofing is an attack you can use to insert a communication across the network. This allows you to sniff any traffic going between the targets on the internet. If sensitive information, such as credit card details and passwords are sent unencrypted, then the targets can have a very bad day.

How does ARP Poisoning Work

Every computer connects to the network using an ARP table. This table contains IP addresses and their corresponding MAC addresses. Hence when you want to communicate with a certain IP address, your system refers to the respective MAC address. You can check your ARP table in Linux using the command “ARP”, while in windows, it is “ARP –a”.

This table shows up all the devices with whom you have communicated with on Network. Hence the system stores the IP address and respective MAC address of all the connected IP in this table and can refer to them time and again.

If you want to check the status of another system, using the ping command, the system sends a broadcast command on the network. Once the system gets the MAC address, it sends the ping and it saves it for future reference in the ARP table.

If this is attacked, the communication being sent to the real router is redirected to the attacker. This can allow attackers to modify the MAC and send it to the network. When any other system requests for the MAC of the system a different MAC (incorrect MAC) is floated in the network.

How to protect from ARP attack

With increasing attacks on organizations, it is necessary to ensure certain features which can protect the systems from ARP Attacks.

  • Packet filtering: Packet filters inspect packets as they are transmitted across a network. Packet filters are useful in ARP spoofing prevention because they are capable of filtering out and blocking packets with conflicting source address information (packets from outside the network that show source addresses from inside the network and vice-versa).
  • Avoid trust relationships: Organizations should develop protocols that rely on trust relationships as little as possible. Trust relationships rely only on IP addresses for authentication, making it significantly easier for attackers to run ARP spoofing attacks when they are in place.
  • Use ARP spoofing detection software: There are many programs available that help organizations detect ARP spoofing attacks. These programs work by inspecting and certifying data before it is transmitted and blocking data that appears to be spoofed.
  • Using VPN: A VPN can be a reasonable defense for individuals, but they are generally not suitable for larger organizations. If it is just a single person making a potentially dangerous connection, such as using public wifi at an airport, then a VPN will encrypt all of the data that travels between the client and the exit server. This helps to keep them safe because an attacker will only be able to see the ciphertext.
  • Use cryptographic network protocols: Transport Layer Security (TLS), Secure Shell (SSH), HTTP Secure (HTTPS) and other secure communications protocols bolster ARP spoofing attack prevention by encrypting data prior to transmission and authentication data when it is received.


ARP has always been and is still very much prone to ARP Poisoning attacks. As the address resolution mechanism is an unavoidable network necessity, defense mechanisms need essentially to be implemented for utmost protection.

A high percentage of methods have been implemented to salvage against the spoofing attacks, yet a few soft spots need to be addressed. On the whole, it would be prudent to conclude the fact that almost all the mitigation software available presently is confined to work with specific kernels and some require relentless traffic filtering.