🏠 Back to Exam Syllabus 📺 RooCloud on YouTube 🌐 RooCloud Practice Exams

CISSP 11.8 - ARP Concerns

This episode of the ISC2 Certified Information Systems Security Professional (CISSP) exam prep series examines a small Domain 4 protocol with an outsized security impact. Because it operates on your local segment with no built-in authentication, it is a favorite for interception on the inside, and understanding how the attack works is the first step to catching it.

What this episode covers

Watch the full episode above for the worked examples and detailed explanations of each concept.

Frequently Asked Questions

What does the address resolution protocol actually do?

It bridges logical and physical addressing, resolving an IP address into the hardware address that traffic on a local segment uses to reach a machine. It works by caching and broadcasting. A device first checks its local cache for the mapping, and if it is missing, the device broadcasts a request and the owner of that address answers with its hardware address, which then gets cached.

How is its cache poisoned?

By an attacker sending falsified replies. Because a device updates its cache with whatever reply it receives, an attacker can answer with a lie that maps a victim’s IP address to the attacker’s own hardware address, so traffic flows to the attacker instead of the real destination. A poisoned entry lingers until it times out, usually within a few minutes, and each new broadcast gives the attacker a fresh chance to lie.

What is the unsolicited variety of this attack?

It is the gratuitous reply, sent with no request behind it. Normally a reply answers a query, but a device can also announce its mapping unprompted, which has legitimate uses such as announcing presence or supporting reliable failover between redundant devices. An attacker abuses it by broadcasting false unsolicited mappings to poison caches without waiting to be asked.

Can static entries be both a weapon and a shield?

Yes. A third form of poisoning creates static entries locally, easily done through a malicious script on the client, though such entries do not survive a reboot. You can also flip static entries into a defense, because a manually fixed mapping will not be overwritten by any incoming reply. The catch is that static entries remove needed flexibility and vanish on reboot, so you would need a script to rebuild them each time.

What is the strongest defense?

Controlling the switch. The best protection is port security on the switch, which can block communication from unknown or rogue devices and detect a system that is answering every request. Beyond that, a host-based firewall, a host intrusion detection and prevention system, or dedicated endpoint tools can block unrequested replies and announcements. Lock the switch ports first, then add host-level detection so a lie on the wire gets caught even if it slips past.

📚 Master the ISC2 CISSP Exam!

Ready to test your knowledge? Access chapter-specific Multiple Choice Questions (MCQs) and full-length practice exams for the ISC2 CISSP certification at RooCloud.com. Solve the chapter-wise questions to reinforce this lesson before moving to the next episode.


Reference: This article is based on concepts discussed in CISSP 11.8 - ARP Concerns.