Because host C knows the true MAC addresses associated with the host A and host B IP addresses, host C can forward the intercepted traffic to those hosts by using the correct MAC address as the destination. By poisoning the ARP caches of host A and host B, host C intercepts traffic intended for them. Hosts with poisoned ARP caches use the MAC address C.C.C.C as the destination MAC address for traffic intended for 10.1.1.2 or 10.1.1.1. Host C can poison the ARP caches of host A and host B by broadcasting forged ARP responses with bindings for a host with an IP address of 10.1.1.2 (or 10.1.1.1) and a MAC address ofĬ.C.C.C. When host B responds, host A populates its ARP cache with a binding for a host with IP address 10.1.1.1 and MAC address When host B receives the ARP request, it populates its ARP cache with an ARP binding for a host with the IP address 10.1.1.2 and MAC address A.A.A.A. When host A needs to communicate to host B at the IP layer, host A broadcasts an ARP request for the MAC address associated with IP address 10.1.1.1. In this example, host A uses IP address 10.1.1.2 and MAC address A.A.A.A. Their IP and MAC addresses are also shown. The figure shows that hosts A, B, and C are connected to the switch on interfaces A, B, and C, all of which are on the same subnet. The figure shows an example of ARP cache poisoning. An ARP spoofing attack can target hosts, switches, and routers connected to your Layer 2 network by poisoning the ARP caches of systems connected to the subnet and by intercepting traffic intended for other hosts on the subnet. After the attack, all traffic from the device under attack flows through the attacker computer and then to the router, switch, or host. Subsequent gratuitous ARP replies overwrite legitimate repliesĪRP spoofing attacks, or ARP cache poisoning, occurs when ARP allows a gratuitous reply from a host even if an ARP request is not received.