Sunday, June 2, 2013

ARP Poisoning - A Theoretical Approach

ARP Poisoning is an attack that can be carried out in a LAN that relies on Address Resolution Protocol for its internal routing. ARP Poisoning can then be further extended in different forms of attack like Man-in-the-middle-attack, Packet sniffing, Denial of Service etc. In this attack the attacker spoofs the ARP cache of the target machine.

We will consider one simple scenario out of many possible. The attacker uses ARP Poisoning in order to sniff all packets of a Victim. The attacker and the victim are both in the same LAN using Ethernet and the LAN is connected to the Internet via a gateway device.


Address Resolution Protocol is used to find out MAC address of another device in the LAN in order to communicate with that device.  It sends a broadcast of an ARP request packet. All other devices other than the target device will ignore the packet (or may save the MAC address of the device generating the ARP request in its ARP cache). The target computer will identify that the request is for itself based on the IP address and then it will generate an ARP reply packet that has its MAC address and send that packet to the device generating the ARP request. In this process both the devices will add each other’s MAC address in their respective ARP cache for further communication. Also devices periodically may broadcast a Gratuitous ARP request/reply packet which has their IP address and MAC address in order to let other devices update their ARP cache.


Carrying out an attack is simple. Now the attacker will create a spoofed gratuitous ARP packet with the IP address of the gateway and MAC address of its own destined to the victim computer. The Victim computer, thinking it came from the gateway device, will update its own ARP cache with this false information. Now all the traffic that the victim sends to the internet will be sent via the attacker’s machine. The attacker can now perform the same procedure in order to replace the MAC address of victim computer with its own MAC address in the gateway’s ARP cache. This way the attacker is now able to successfully hijack the complete session of the attacker’s computer.


  • One can use static ARP entries in every computer for a network, for all other devices on the network. Obviously that would be very time consuming but it guarantees complete security against ARP spoofing.
  • One can even use software in one’s network that keeps a track of the MAC address of computers and checks it periodically.
  • Manually checking the traffic on the network and taking care of any such suspicious activity also helps a lot.
  • Generate Self Signed Digital Certificate with encryption algorithm using RSA or MD5 DES.

    1.   Anon (2008). Ettercap  Mitm attacks. Available at: (Accessed on: 21st April 2013).
     2.   Petersen, R. (2010). Fedora 14 Networking and Servers. Edition. Surfing turtle press.
    3.   ArpSpoof2005/03/14, . Available at:
    4.   RALPHANGENENDT, 2010 10 10, 2010-last update, HowTos/Https - CentOS Wiki. Available:
    5.   Main_the_Middle.JPEG. (n.d.). Retrieved from OWASP:

    Author : Mufaddal Makati
    Contact :

    No comments: