Subscribe to Hexnode Blog
Get fresh insights, pro tips, and thought starters–only the best of posts for you.
BackWhat is ARP Poisoning?
ARP poisoning is a cyberattack in which an attacker sends falsified Address Resolution Protocol (ARP) messages on a local network to associate their MAC address with another device’s IP address.
Because ARP lacks built-in authentication, devices may accept spoofed ARP messages and update their ARP cache with incorrect IP-to-MAC mappings. Attackers can exploit this behavior to intercept, relay, modify, or disrupt local network traffic.
How ARP Poisoning Works
ARP poisoning attacks typically occur on local area networks (LANs), including wired networks and shared Wi-Fi environments.
To perform the attack, an adversary generally needs access to the same local network segment as the targeted devices.
A typical attack may involve the following steps:
- Network Discovery – The attacker identifies devices on the local network, such as the victim system and the default gateway or router.
- Forged ARP Messages – The attacker sends spoofed ARP replies that associate the attacker’s MAC address with another device’s IP address.
- ARP Cache Manipulation – Target systems update their ARP cache with the forged IP-to-MAC mapping.
- Traffic Interception or Disruption – Traffic associated with the poisoned mapping may be routed through the attacker’s system, enabling interception, modification, relay, or denial-of-service behavior.
Common Consequences of ARP Poisoning
| Attack Type | Attacker Goal | Potential Impact |
| Man-in-the-Middle (MitM) | Intercepting or relaying local traffic | Exposure of unencrypted credentials or communications |
| Denial-of-Service (DoS) | Associating an IP with an invalid MAC address | Local connectivity disruption |
| Session Hijacking | Attempting to capture session tokens | Unauthorized access if session protections are weak |
How Organizations Defend Against it
Organizations often combine Layer 2 protections, encrypted protocols, and endpoint controls to reduce ARP poisoning risk.
Configuring supported switches to validate ARP packets against trusted IP-to-MAC bindings and discard invalid ARP traffic.
Using manually configured ARP mappings for selected critical systems where appropriate.
Using HTTPS, SSH, and VPNs to help protect intercepted traffic content when encryption is properly configured and validated.
Using switch-level protections such as DHCP snooping, IP Source Guard, ARP ACLs, and anti-spoofing controls.
Business Impact
ARP poisoning can expose organizations to credential theft, traffic interception, session hijacking, and network disruption on local networks.
Because these attacks occur at the local network level, organizations often combine secure network design, encryption, segmentation, monitoring, and endpoint security controls to reduce exposure.
How Hexnode Supports Endpoint Management
Hexnode UEM supports device compliance policies, compliance reporting, restrictions, app management, VPN configuration, and supported Conditional Access integrations across managed devices. Organizations can use Hexnode to configure VPN settings, manage endpoint policies, apply restrictions, and support broader endpoint security and compliance strategies.
FAQs
These attacks use legitimate ARP protocol behavior and local network communication, making them harder to detect without network monitoring or Layer 2 security controls.
Yes. Attackers can disrupt local connectivity by poisoning ARP caches with invalid or unreachable MAC address mappings.
No. HTTPS does not prevent ARP poisoning itself, but properly configured encryption helps protect the contents of intercepted traffic.