ARP Cache Poisoning

Copy current article URL Share via email

This article (PDF) Whole documentation (PDF)

Address Resolution Protocol (ARP) links an IPv4 address to a device's MAC address on a local network. ARP cache poisoning (also called ARP spoofing) is an attack where someone sends fake ARP messages so devices store the wrong IP-to-MAC mapping. ARP applies to IPv4 networks; IPv6 uses Neighbor Discovery Protocol (NDP), where similar attacks are usually called NDP spoofing or neighbor cache poisoning.

In a common scenario, the attacker tells a victim that the attacker's MAC address belongs to the network gateway, and tells the gateway that the attacker's MAC address belongs to the victim. Both systems then send traffic to the attacker by mistake. This lets the attacker read, alter, or block traffic before passing it on.

In large corporate networks, monitoring systems can sometimes raise false alarms for ARP poisoning. Legitimate changes, such as DHCP renewals, failover events, load balancers, virtual machine migrations, or endpoint MAC randomization, can appear suspicious even when no attack is present. Analysts should confirm alerts with multiple signals (for example, switch logs and endpoint behavior) before declaring an incident.

In ESET products, users can customize network attack detection behavior in Advanced IDS settings.

˄˅