The Address Resolution Protocol (ARP) maps IP addresses to MAC addresses. It has no verification. If I tell your computer "I am the Router", your computer will believe me. This is ARP Poisoning.
1. The Attack Flow
- Victim MAC: AA:AA (192.168.1.10)
- Router MAC: BB:BB (192.168.1.1)
- Attacker MAC: CC:CC (192.168.1.bad)
The attacker sends an ARP Reply to the Victim: "The Router (192.168.1.1) is at CC:CC".
The Victim updates its ARP table. Now, every packet meant for the internet goes to the Attacker first. The Attacker reads/modifies the packet and forwards it to the real Router.
2. Defenses
Dynamic ARP Inspection (DAI): Enterprise switches verify ARP packets against the DHCP lease database. If they don't match, the port is blocked.
Static ARP Entries: Hardcoding the MAC address of the gateway (Not scalable).