What Is ARP Poisoning?

ARP (Address Resolution Protocol) poisoning, also called ARP spoofing, is a type of attack on local networks. The attacker sends forged ARP replies to associate their device's MAC address with the IP address of a legitimate device (such as the default gateway), causing traffic destined for that IP to be sent to the attacker instead.

How ARP Works (and How It Is Exploited)

ARP maps IP addresses to MAC addresses on a local network. When device A wants to send data to 192.168.1.1 (the router), it broadcasts "Who has 192.168.1.1?" The router replies with its MAC address, and device A caches this mapping.

ARP has no authentication. An attacker can send unsolicited ARP replies saying "192.168.1.1 is at MY MAC address." Devices accept this and update their cache — now traffic intended for the router goes to the attacker instead.

What Attackers Can Do With ARP Poisoning

Man-in-the-middle attack — Intercept and read all traffic between victim and router
Credential theft — Capture usernames and passwords sent over HTTP
Session hijacking — Steal session cookies to impersonate logged-in users
Denial of service — Drop traffic entirely, disconnecting the victim

Who Is at Risk

ARP poisoning only works on the same local network segment. You are most at risk on:

public Wi-Fi networks (cafes, airports, hotels)
Corporate networks if an internal device is compromised
Home networks if a device is infected with malware

Defences Against ARP Poisoning

Use HTTPS — even if traffic is intercepted, it is encrypted and unreadable
Use a VPN — encrypts all traffic so interception yields nothing useful
Enable Dynamic ARP Inspection (DAI) on managed network switches
Use static ARP entries for critical devices (impractical at scale)

How ARP Works (and How It Is Exploited)

What Attackers Can Do With ARP Poisoning

Who Is at Risk

Defences Against ARP Poisoning

People Also Ask

Related Questions

What Is a Man-in-the-Middle Attack?

What Is Packet Sniffing?

Public Wi-Fi Security Risks