ARP Poisoning Explained

Q: Does HTTPS protect against ARP poisoning?

Partially. HTTPS encrypts the traffic content, so even if the attacker intercepts it via ARP poisoning, they cannot read the payload. However, ARP poisoning combined with an SSL strip attack or a forged certificate (if the victim ignores browser certificate warnings) can still expose data. HTTPS protects data in transit but does not prevent the traffic from being intercepted — it just makes the intercepted traffic unreadable.

Q: Can ARP poisoning work on modern home networks?

Yes, if the attacker is already on the same local network. Most consumer routers and home switches do not implement Dynamic ARP Inspection (DAI). An attacker who has joined your Wi-Fi (by knowing the password or cracking a weak one) can perform ARP poisoning against other devices on the same network. This is why guest network isolation and strong Wi-Fi passwords are important — they prevent attackers from reaching the same broadcast domain.

Run a Speed Test

ARP poisoning (also called ARP spoofing or ARP cache poisoning) exploits the stateless, unauthenticated nature of the Address Resolution Protocol to associate the attacker's MAC address with a victim's IP address. This causes all traffic destined for the victim to flow through the attacker's machine first — a classic local-network man-in-the-middle position.

ARP: The Protocol Being Exploited

ARP (Address Resolution Protocol) translates IP addresses to MAC addresses on a local network. When device A wants to send a packet to 192.168.1.10, it broadcasts "Who has 192.168.1.10?" — the device with that IP replies with its MAC address. Device A caches this mapping in its ARP table for a few minutes, then uses it to address Layer 2 frames directly.

The critical weakness: ARP has no authentication. Any device can send an ARP reply for any IP at any time — even without receiving a request. Devices accept and cache these unsolicited replies (called gratuitous ARP). This is the attack surface.

How ARP Poisoning Works

Attacker joins the local network (same Wi-Fi or Ethernet segment as targets).
Attacker sends gratuitous ARP replies to the victim device: "192.168.1.1 (the router) is at MAC AA:BB:CC:DD:EE:FF" — the attacker's MAC.
Simultaneously, sends poisoned ARP to the router: "192.168.1.50 (the victim) is at MAC AA:BB:CC:DD:EE:FF."
Both caches updated: victim sends all traffic to the attacker thinking it's the router; router sends traffic destined for the victim to the attacker.
Attacker forwards traffic to the real destination after inspection (MITM) or drops it (denial of service).

The attacker must continuously retransmit poisoned ARP packets, since ARP caches expire (typically every few minutes). Tools like Ettercap, arpspoof, and Bettercap automate this.

What Attackers Can Do with MITM Position

Passive interception: Read unencrypted HTTP traffic, credentials, session cookies.
SSL stripping: Downgrade HTTPS to HTTP on sites that don't enforce HSTS, capturing credentials.
Traffic injection: Inject malicious content into unencrypted responses.
Credential capture: Log plaintext protocols like FTP, Telnet, POP3, IMAP without TLS.
Session hijacking: Steal session cookies from unencrypted or weakly secured applications.

Defenses Against ARP Poisoning

Dynamic ARP Inspection (DAI) is the most effective defense. DAI is a managed switch feature that validates ARP packets against a trusted DHCP snooping binding table — only ARP replies matching the known IP-to-MAC mapping from DHCP leases are forwarded. Spoofed gratuitous ARPs are dropped. DAI is standard on enterprise switches but absent from most consumer routers.

Other mitigations:

Static ARP entries for critical devices (router, NAS) prevent their cache entries from being overwritten. Requires manual management.
Use HTTPS everywhere — HSTS prevents SSL stripping on sites that enforce it, limiting what intercepted traffic reveals.
Network segmentation: Devices on separate VLANs or subnets cannot ARP poison each other — they operate in different broadcast domains.
Guest network isolation: Isolate untrusted devices so they cannot reach the same Layer 2 segment as trusted devices.
ARP monitoring: Tools like arpwatch alert when an IP-to-MAC mapping changes unexpectedly.

Home Network Exposure

Consumer routers almost never implement DAI. An attacker who joins your Wi-Fi can ARP poison every other device on the network. The practical defense at home is preventing unauthorized network access (strong WPA2/WPA3, disable WPS), isolating IoT and guest devices on separate SSIDs with client isolation enabled, and relying on HTTPS/TLS for sensitive traffic.

Frequently Asked Questions

Does HTTPS protect against ARP poisoning?

Partially. HTTPS encrypts traffic so intercepted content is unreadable. However, ARP poisoning combined with SSL stripping (or a forged cert if the victim ignores browser warnings) can still expose data. HTTPS protects payload confidentiality but doesn't prevent interception — it makes intercepted traffic unreadable.

Can ARP poisoning work on modern home networks?

Yes, if the attacker is on the same local network. Consumer routers don't implement DAI. An attacker who has joined your Wi-Fi can ARP poison other devices on the same subnet. Strong Wi-Fi passwords and guest network isolation (which prevents devices from reaching the same broadcast domain) are the primary home defenses.

Related Guides

Man-in-the-Middle Attack

ARP poisoning is one of the most common MITM enablement techniques.

MAC Spoofing

How attackers change their MAC to appear as a trusted device.

DNS Poisoning

A related cache-corruption attack targeting DNS resolvers instead of ARP.

ARP Explained

How the Address Resolution Protocol works at Layer 2.