ARP poisoning is a malicious cybersecurity technique that exploits vulnerabilities in the Address Resolution Protocol (ARP) to disrupt or redirect network traffic within local area networks (LANs). In this attack, a threat actor sends forged ARP messages onto the network, falsely linking their MAC (Media Access Control) address with the IP address of a legitimate device, such as a router or server. When other network devices receive these spoofed ARP replies, they update their ARP caches accordingly, causing legitimate traffic to be unknowingly routed through the attacker's machine.

This attack enables various malicious activities, most notably man-in-the-middle (MitM) attacks, where attackers can eavesdrop on communications, modify data in transit, steal credentials, or perform session hijacking. ARP poisoning is particularly effective because the ARP protocol is inherently stateless and lacks built-in authentication—devices automatically trust incoming ARP replies without verification. To defend against this threat, organizations implement countermeasures such as static ARP entries, Dynamic ARP Inspection (DAI), network segmentation, and encrypted communications protocols.