ARP cache poisoning is one of the easiest and most effective methods for carrying out man-in-the-middle attacks. ARP works at layer two, also known as the data link layer, and is based on the MAC or hardware address of the communicating systems. Because of this, ARP cache poisoning can only be carried out between systems in the same segment of the network.

ARP cache poisoning is successful because the ARP doesn’t have any kind of security. Anyone can solicit an ARP reply (gratuitous ARP) without an ARP request and make the other systems think that the new MAC for a particular IP is something different.

This will result in an update of the MAC address table on the victim’s system. Now, rather than talking directly to each other, the victim’s systems will start talking through the attacker’s system.

Prevention against ARP cache poisoning is not easy, because by default the ARP protocol itself is not secure. There are some ways around this method of attack that involve the hard-coding of ARP cache, but this method defeats the dynamic nature of IP address allocation.

If the ARP cache is hard-coded, then the IP needs to be static for each LAN system, and if it is not, then static allocation or coding of the ARP cache wouldn’t be fruitful. There are other security devices that may also be used to prevent against ARP cache poisoning, including internal firewall devices, UTM systems, etc.

More security questions & answers