| 🏠 Back to Exam Syllabus | 📺 RooCloud on YouTube | 🌐 RooCloud Practice Exams |
CISSP 11.8 - ARP Concerns
This episode of the ISC2 Certified Information Systems Security Professional (CISSP) exam prep series examines a small Domain 4 protocol with an outsized security impact. Because it operates on your local segment with no built-in authentication, it is a favorite for interception on the inside, and understanding how the attack works is the first step to catching it.
What this episode covers
- What ARP does — resolves an IP address into a local hardware address by checking a cache and broadcasting when the mapping is missing.
- Cache poisoning — falsified replies map a victim’s IP to the attacker’s hardware address, so traffic flows to the attacker.
- The gratuitous variety — unsolicited replies announce a mapping with no query, useful for failover but abused to poison caches.
- Static entries as weapon and shield — a script can plant malicious entries, yet a fixed mapping also resists overwriting.
- The cost of static entries — they remove needed flexibility and vanish on reboot, so a script must rebuild them.
- The strongest defense — switch port security blocks rogue devices, backed by host firewalls, intrusion prevention, and endpoint tools.
Watch the full episode above for the worked examples and detailed explanations of each concept.
Frequently Asked Questions
What does the address resolution protocol actually do?
It bridges logical and physical addressing, resolving an IP address into the hardware address that traffic on a local segment uses to reach a machine. It works by caching and broadcasting. A device first checks its local cache for the mapping, and if it is missing, the device broadcasts a request and the owner of that address answers with its hardware address, which then gets cached.
How is its cache poisoned?
By an attacker sending falsified replies. Because a device updates its cache with whatever reply it receives, an attacker can answer with a lie that maps a victim’s IP address to the attacker’s own hardware address, so traffic flows to the attacker instead of the real destination. A poisoned entry lingers until it times out, usually within a few minutes, and each new broadcast gives the attacker a fresh chance to lie.
What is the unsolicited variety of this attack?
It is the gratuitous reply, sent with no request behind it. Normally a reply answers a query, but a device can also announce its mapping unprompted, which has legitimate uses such as announcing presence or supporting reliable failover between redundant devices. An attacker abuses it by broadcasting false unsolicited mappings to poison caches without waiting to be asked.
Can static entries be both a weapon and a shield?
Yes. A third form of poisoning creates static entries locally, easily done through a malicious script on the client, though such entries do not survive a reboot. You can also flip static entries into a defense, because a manually fixed mapping will not be overwritten by any incoming reply. The catch is that static entries remove needed flexibility and vanish on reboot, so you would need a script to rebuild them each time.
What is the strongest defense?
Controlling the switch. The best protection is port security on the switch, which can block communication from unknown or rogue devices and detect a system that is answering every request. Beyond that, a host-based firewall, a host intrusion detection and prevention system, or dedicated endpoint tools can block unrequested replies and announcements. Lock the switch ports first, then add host-level detection so a lie on the wire gets caught even if it slips past.
📚 Master the ISC2 CISSP Exam!
Ready to test your knowledge? Access chapter-specific Multiple Choice Questions (MCQs) and full-length practice exams for the ISC2 CISSP certification at RooCloud.com. Solve the chapter-wise questions to reinforce this lesson before moving to the next episode.
Reference: This article is based on concepts discussed in CISSP 11.8 - ARP Concerns.