In normal ARP operation, a host sends a broadcast to determine the MAC
address of a host with a particular IP address. The device at that IP address
replies with its MAC address. The originating host caches the ARP response,
using it to populate the destination Layer 2 header of packets sent to that IP
address. By spoofing an ARP reply from a legitimate device, an attacking device
appears to be the destination host sought by the senders. The ARP reply from
the attacker causes the sender to store the attacking system MAC address of the
in the ARP cache. All packets destined for those IP address will be forwarded
through the attacker system.
Based on the Figure
, this sequence
of events shown in Figure
outlines
an ARP spoofing attack.