What is ARP Protocol, ARP Poisoning or ARP Spoofing and how it works?

ARP Protocol, ARP Poisoning or ARP Spoofing

As always, most of the people don’t have any background knowledge about hacking or particular type of topic we are discussing here today. So before moving ahead to ARP Protocol, ARP Poisoning or ARP Spoofing we should first learn what is ARP or ARP Protocol.

What is ARP Protocol?

Address Resolution Protocol (ARP) is a low-level network protocol for translating network layer addresses into link layer addresses (OSI Model layer). ARP was not included in the OSI framework and allows computers to introduce each other across a network prior to communication.

Because protocols are basic network communication units, address resolution is dependent on protocols such as ARP, which is the only reliable method of handling required tasks.

ARP resolves IP address.


In the above scenario, we will try to understand what ARP has role in communication and learn some concepts.

Here we have PC A and PC B, both computers are connected with the help of Ethernet. While Ethernet works on Data Link Layer (OSI Model).

When configuring a new network computer, each system is assigned an Internet Protocol (IP) address for primary identification and communication.

Both the computers are connected to local area network that means both should have separate IP address (Internet Protocol) and MAC address (A media access control of a computer is a unique identifier assigned to network interfaces for communications at the data link layer of a network segment).

Here we know that router or any internet gateway has ARP table (A table, usually called the ARP cache, is used to maintain a correlation between each MAC address and its corresponding IP address).

Here PC A sends an IP packet to a particular PC. It should be kept in mind that on data link layer IP packets are enclosed in a frame that is sent to destination computer. Along with IP packets, source and destination of computers are also available within the frame to reach on right destination.

Till here you must be aware of what the actual scenario is happening.

Here we go, PC A sends a frame (IP packet) to PC B in a network but doesn’t know the MAC address of PC B. This time PC A will broadcast (send request in a network) an ARP request in a network. The broadcast is received to every computer or system in a network. Though the broadcast request contains the IP address of source and destination. The computer system which matches the destination IP address will send back ARP reply to PC A. The ARP reply contains the IP address and MAC address of PC B. Following this the router will update the ARP table with IP and MAC addresses in a network.This simple address translation and exchange process is the primary role of ARP.

ARP tables can be stored to increase transmission rates by keeping track of addresses known to the network and transmitting any MAC or IP address changes via ARP.

ARP Poisoning/Spoofing

ARP poisoning or ARP spoofing is a malicious attack where attacker sends a falsified ARP to target over a local area network. This results in the linking of attacker’s MAC address with the IP address of legitimate victim. The changes are all done in the ARP cache of victim’s computer. Once the MAC address of attacker is connected to the IP address of victim all the traffic that was intended to victim will be entertained by attacker. This time attacker is able to read, modify and transfer any kind of data to any particular IP with back link as of victim. ARP poisoning or spoofing attacks can only occur on local area networks that utilize the Address Resolution Protocol.

As a result, both the user’s data and privacy are compromised. An effective ARP poisoning attempt is undetectable to the user. ARP poisoning is also known as ARP cache poisoning or ARP poison routing (APR).



ARP is a stateless protocol. Network hosts will automatically cache any ARP replies they receive, regardless of whether network hosts requested them. Even ARP entries which have not yet expired will be overwritten when a new ARP reply packet is received.

ARP Poisoning/Spoofing Attacks

ARP spoofing attarcks have very serious effects on various business enterprises. ARP poisoning is very effective against both wireless and wired local networks. By triggering an ARP poisoning attack, hackers can steal sensitive data from the targeted computers. Since the general goal of the attack is to associate the attacker’s host MAC address with the IP address of a target host, so that any traffic meant for the target host will be sent to the attacker’s host.

The attacker may choose to inspect the packets (spying), while forwarding the traffic to the actual default gateway to avoid discovery, modify the data before forwarding it (man-in-the-middle attack), or launch a denial-of-service attack by causing some or all of the packets on the network to be dropped and other cause is Session hijacking which allows an attacker to steal session ID’s, granting attackers access to private systems and data.

ARP Poisoing/Spoofing Technique

ARP poisoning or spoofing attacks typically follow a bunch of similar steps. These steps usually include:

  • The attacker opens an ARP spoofing tool and sets the tool’s IP address to match the target’s IP subnet. Some popular ARP spoofing software includes Arpoison, Arpspoof, Cain & Abel and Ettercap.
  • The attacker then uses the ARP spoofing tool to scan for the IP and MAC addresses of hosts/target in the target’s subnet.
  • The attacker chooses its target and begins sending ARP packets across the LAN that contain the attacker’s MAC address and the target’s IP address.
  • Due to spoofed ARP cache, when hosts send packets to victim will go straight to the attacker instead. From here, the attacker can steal data or launch a more sophisticated follow-up attack.

ARP Poisoning/Spoofing Detection, Prevention and Protection

The following methods are the recommended measures for detecting, preventing and protecting against ARP poisoning/spoofing attacks:

  • Packet filtering: Packet filters inspect packets as they are transmitted across a network. Packet filters are useful in ARP spoofing prevention because they are capable of filtering out and blocking packets with conflicting source address information (packets from outside the network that show source addresses from inside the network and vice-versa).
  • Avoid trust relationships: Organizations should develop protocols that rely on trust relationships as little as possible. Trust relationships rely only on IP addresses for authentication, making it significantly easier for attackers to run ARP spoofing attacks when they are in place.
  • Use ARP spoofing detection software: There are many programs available that help organizations detect ARP spoofing attacks. These programs work by inspecting and certifying data before it is transmitted and blocking data that appears to be spoofed.
  • Use cryptographic network protocols: Transport Layer Security (TLS), Secure Shell (SSH), HTTP Secure (HTTPS) and other secure communications protocols bolster ARP spoofing attack prevention by encrypting data prior to transmission and authenticating data when it is received.

Software that detects ARP spoofing generally relies on some form of certification or cross-checking of ARP responses. Uncertified ARP responses are then blocked. These techniques may be integrated with the DHCP server so that both dynamic and static IP addresses are certified. This capability may be implemented in individual hosts or may be integrated into Ethernet switches or other network equipment.

Cause of ARP Poisoning/Spoofing

There is no method in the ARP protocol by which a host can authenticate the peer from which the packet originated. This behavior is the vulnerability which allows ARP spoofing to occur.

Please read more about hacking techniques.

Do share your experience in comments.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.