What Is ARP Spoofing?
ARP Spoofing — an attack that sends forged ARP messages on a LAN to associate the attacker's MAC with another device's IP — redirecting that device's traffic through the attacker.
How it works
Because ARP has no authentication, an attacker can broadcast fake ARP replies claiming "the gateway's IP is at MY MAC address". Victims update their ARP caches and start sending traffic meant for the gateway to the attacker instead — enabling interception (a man-in-the-middle attack) or denial of service.
Why it matters
ARP spoofing is a classic LAN attack and the mechanism behind many MITM attacks. The defence, Dynamic ARP Inspection (validating ARP against the DHCP snooping table), is exactly why those switch security features exist — connecting attack and defence is core CyberOps understanding. See how ARP works.
Frequently asked questions
What is ARP spoofing?
An attack sending forged ARP replies to link the attacker's MAC with another device's IP, redirecting that device's traffic through the attacker.
Why is ARP vulnerable to spoofing?
ARP has no authentication — devices accept ARP replies without verifying them, so forged replies readily poison ARP caches.
How is ARP spoofing prevented?
Dynamic ARP Inspection (DAI) on switches validates ARP messages against the DHCP snooping binding table, dropping forged ones.
Related articles
Want hands-on training?
Learn this on real Cisco lab devices with placement support at Attila Technologies, Ahmedabad.