Geek Culture
Published in

Geek Culture

Understanding ARP Poisoning & MITM Attack

Image by:

ARP Poisoning and Man-in-the-middle attacks (MITM) are types of cyberattacks, that allows hackers to spy on communications between two parties. Technically ARP Poisoning is a type of Man-in-the-middle attacks. So, in this article I will explain about ARP Poisoning and Man-in-the-middle attacks. But before moving into the ARP Poisoning, we should have proper knowledge about ARP.

What is ARP?

ARP acronym stands for Address Resolution Protocol, and as the name suggests it is a protocol that enables network communications between devices. ARP used to translate Internet Protocol (IP) addresses to a “fixed physical machine address”, also known as a Media Access Control (MAC) address, in a local-area network. Usually, ARP used within devices to communicate the router that enables those devices to connect to the Internet.

The host is maintaining an ARP cache, and use it to connect to websites and other destinations on the network. However, if host doesn’t have the MAC address for an IP address that looking for, it will ask other machines on the network for a matching MAC address by sending an ARP request packet.

So, the mapping procedure between the IP and MAC addresses is really important, because the lengths of the IP and MAC addresses are different to each other. Because of that, a translation is required to recognize one another in the system. As you already know, there is a new version of the Internet Protocol named as IPv6, but still the most used one is IPv4. So, the thing is IPv4 addresses are 32 bits long, while MAC addresses are 48 bits long. Therefore, ARP needs to translate the 32-bit address to 48 and vice versa.

Furthermore, the ARP protocol is not good in security aspect. That’s why IPv6 comes with newer protocol named as, Neighbor Discovery Protocol (NDP). The Neighbor Discovery Protocol is very strong in security aspect and uses cryptographic keys to verify host identities.

What is ARP Poisoning (ARP Spoofing)?

ARP Poisoning is a type of Man-in-the-Middle (MitM) attack, that allows hackers to spy on communications between two parties over a Local Area Network (LAN). As I mentioned above, the ARP protocol was mainly designed for efficiency and not for security. Because the designers of the protocol never included an authentication system to validate ARP messages. As a result, any device on the same network can answer an ARP request, even though the original message is not requested for it.

Image: ARP Poisoning (

Let’s see the steps that hackers follow when they are attacking.

  1. First of all, they must have access to the network, so they can scan the network to find out the IP addresses of the connected devices.
  2. Mostly the next step would be selecting a target, such as specific endpoint on the network or a network device like a router.
  3. Then attackers will use a spoofing tool to carry out the ARP Poisoning attack. There are wide variety of tools they can use, such as Arpspoof or Driftnet. So, after configuring applicable settings he will begin the attack.
  4. As a result of the attack, both IP addresses that belongs to the router and device is going to believe that the attacker’s MAC address is the correct one.
  5. Now those two devices going to update their ARP cache entries. From that point, both devices communicate with the attacker, instead of directly with each other. But the thing is attacker pretends to be both sides of a network communication channel. Because of that, those two have no idea, that they are communicating with someone outside.
  6. Now the attacker can perform anything secretly without their knowledge.

How to Identify an ARP Cache Poisoning Attack?

If a specific device’s ARP cache has been poisoned, the easiest way to identify is by, using the command line.

Open your machine’s terminal and enter the following command to display the ARP table. This command will work for both Windows and Linux operating systems.

arp -a

The output result will be look like this,

Image: ARP table

However, if your table shows two different IP addresses that have the same MAC address, it means you are under attack of ARP Poisoning.

Additionally, if you want to discover ARP poisoning in a large network and get more information about the type of communication the attacker is carrying out, you can use an open-source software named as, Wireshark protocol.

Image: Network Traffic using WireShark

How to Prevent ARP Poisoning?

There are several ways that you can use to prevent ARP Poisoning on your network.

  • Use a Virtual Private Network (VPN)⁠: Using a VPN is the simplest, still effective way to prevent ARP Poisoning. It allows your device to connect internet through an encrypted tunnel and that make it impossible for an ARP spoofing attacker.
  • Use static ARP: The ARP protocol allows you to create a static ARP entry for an IP address. So, it will prevent devices from listening on ARP responses for that address.
  • Run a spoofing attack: You can run spoofing attacks by yourself to check if the existing defenses working fine, and if not, you can detect the weak points in your system and fix those.

Man-In-The-Middle (MITM) Attack

As I mentioned above ARP Poisoning is a type of MITM attack. Man-In-The-Middle attacks are one of the most common and most dangerous attack at the same time. A MITM attack is a type of eavesdropping attack, where attacker intercepts communications between two parties. After getting themselves into the communication, the attackers pretend to be both legitimate participants. In this way both the original parties don’t know that there is an attacker and they do the communication thinking that they connected directly to each other. But the reality is, both parties communicate with the attacker instead of directly with each other without their knowledge.

For an example assume there is person named as John, and the attacker sends out forged ARP responses for a given IP Address, usually the default gateway for a particular subnet. As a result, this will cause the John’s device to populate their ARP cache with the MAC address of the attacker’s machine, instead router’s MAC address. Then what happen is John’s machine will mistakenly forward network traffic to the attacker. However, to the John everything may appear normal until it’s too late.

So, attackers can easily perform these MITM attacks to steal login credentials or confidential information, spy on the victim, or disrupt communications or corrupt data.

Furthermore, there are several types of Man-In-The-Middle Attacks, such as DNS Poisoning, HTTPS Spoofing, Wi-Fi Eavesdropping, and Session Hijacking. So, in my next article I will explain about DNS Poisoning (DNS Spoofing).

So, this is the end of the article and I hope you enjoyed it. Happy Coding👨‍💻.



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Nisal Pubudu

Nisal Pubudu

Associate Software Engineer at Virtusa