What is ARP Cache Poisoning?

ARP cache poisoning is one of the easiest and most effective methods for carrying out man-in-the-middle attacks. ARP works at layer two, also known as the data link layer, and is based on the MAC or hardware address of the communicating systems. Because of this, ARP cache poisoning can only be carried out between systems in the same network segment.

ARP cache poisoning is successful because the ARP doesn’t have any security. Anyone can solicit an ARP reply (gratuitous ARP) without an ARP request and make the other systems think that the new MAC for a particular IP is different.

This will result in updating the MAC address table on the victim’s system. Now, the victim’s systems will start talking through the attacker’s system instead of talking directly to each other.

Prevention against ARP cache poisoning is not easy because the ARP protocol itself is not secure by default. There are some ways around this method of attack that involve the hard-coding of ARP cache, but this method defeats the dynamic nature of IP address allocation.

If the ARP cache is hard-coded, then the IP needs to be static for each LAN system, and if it is not, then static allocation or coding of the ARP cache wouldn’t be fruitful. Other security devices may also be used to prevent ARP cache poisoning, including internal firewall devices, UTM systems, etc.