ARP cache poisoning allows a computer on a local area network to intercept and monitor all network traffic by inserting itself as the middleman between communicating devices. It does this by spoofing ARP replies that tell other devices the attacker's MAC address should be associated with certain IP addresses instead of the actual device. As a result, the attacker is able to see and even modify all unencrypted traffic on the LAN. Standard switches do not prevent this attack since the traffic is being actively redirected to the attacker rather than just passively sniffed.
ARP cache poisoning allows a computer on a local area network to intercept and monitor all network traffic by inserting itself as the middleman between communicating devices. It does this by spoofing ARP replies that tell other devices the attacker's MAC address should be associated with certain IP addresses instead of the actual device. As a result, the attacker is able to see and even modify all unencrypted traffic on the LAN. Standard switches do not prevent this attack since the traffic is being actively redirected to the attacker rather than just passively sniffed.
ARP cache poisoning allows a computer on a local area network to intercept and monitor all network traffic by inserting itself as the middleman between communicating devices. It does this by spoofing ARP replies that tell other devices the attacker's MAC address should be associated with certain IP addresses instead of the actual device. As a result, the attacker is able to see and even modify all unencrypted traffic on the LAN. Standard switches do not prevent this attack since the traffic is being actively redirected to the attacker rather than just passively sniffed.
ARP cache poisoning allows a computer on a local area network to intercept and monitor all network traffic by inserting itself as the middleman between communicating devices. It does this by spoofing ARP replies that tell other devices the attacker's MAC address should be associated with certain IP addresses instead of the actual device. As a result, the attacker is able to see and even modify all unencrypted traffic on the LAN. Standard switches do not prevent this attack since the traffic is being actively redirected to the attacker rather than just passively sniffed.
ARP Reply spoofing for the purpose of ARP Cache Poisoning allows any computer on the local area network to obtain one of the most dangerous and powerful attack postures in network security: the socalled "Man In The Middle" (MITM). The man in the middle is able to monitor, filter, modify and edit any and all traffic moving between the LAN's unsuspecting and inherently trusting computers. In fact, there is nothing to prevent it from filling every computer's ARP cache with entries pointing to it, thus allowing it to effectively become a master hub for all information moving throughout the network. Internet "switches" offer no help As you can see from the diagram above, the use of a standard Internet switch (as compared with a hub), which prevents passive monitoring and sniffing of the LAN's traffic by isolating the traffic of each computer from all others, is of no help in the face of active ARP cache poisoning since the LAN's traffic is being actively sent to the attacking computer.
In normal operation the computers on the
LAN use ARP protocol to acquire and memorize each other's NIC MAC address which they use for sending network data to each other.
But the ARP protocol provides no protection
against misuse. An attacking computer on the same LAN can simply send spoofed ARP Replies to any other computers, telling them that its MAC address should receive the traffic bound for other IP addresses.
This "ARP Cache Poisoning" can be used to
redirect traffic throughout the LAN, allowing any malicious computer to insert itself into the communications stream between any other computers for the purpose of monitoring and even alter the data flowing across the LAN.