What is ARP Spoofing?
ARP Spoofing is an attack technique in which an attacker sends forged ARP messages to bind their MAC address to the IP address of another device. This allows network traffic to be intercepted, redirected or manipulated.
In OT networks, ARP Spoofing can result in the takeover of communication between, for example, a PLC and a SCADA system — without the operator noticing.
🧠 How does ARP (Address Resolution Protocol) work?
- ARP translates IP addresses into MAC addresses (Layer 3 to Layer 2)
- Each device builds an ARP cache of IP→MAC mappings
- These tables are trust-based and can easily be overwritten
🎯 What is ARP Spoofing?
In ARP Spoofing, an attacker impersonates another device on the network:
- The attacker sends an ARP reply to a victim with:
- “PLC’s IP = my MAC”
- The victim now sends its traffic to the attacker
- The attacker performs a Man-In-The-Middle attack or disrupts traffic
⚠️ Consequences in OT environments
| Impact | Description |
|---|---|
| Loss of trust | Sensor or PLC data can be manipulated |
| Process interruption | Traffic can be interrupted or delayed |
| Invisible access | Attackers can eavesdrop without leaving traces |
| Disruption of alarms/logs | The Historian or SCADA receives faulty data |
| Risk of escalation | The attacker may gain access to management functions |
🔍 How do you spot ARP Spoofing?
| Detection method | Description |
|---|---|
| Dynamic ARP Inspection (DAI) | Blocks unwanted ARP replies based on DHCP Snooping |
| Comparing ARP tables | Detecting duplicate IP/MAC combinations |
| IDS or SIEM | Recognising anomalous ARP traffic or repeated ARP messages |
| Network monitoring with Wireshark | Visualising ARP floods or manipulation attempts |
🛡️ Protection measures
| Measure | Description |
|---|---|
| Dynamic ARP Inspection | Blocks spoofed ARP on untrusted ports |
| DHCP Snooping | Builds the baseline binding for ARP validation |
| IP Source Guard | Verifies IP/MAC at port level |
| MAC Binding + Port Security | Only known devices allowed per port |
| VLAN segmentation | Limits the impact of spoofing to a small part of the network |
| Zero Trust Architecture | Trust no internal traffic without verification |
🧪 Simulation and testing
Want to test ARP Spoofing in a lab environment?
- Tools:
arpspoof,ettercap,Bettercap - Observe behaviour in Wireshark and inspect the ARP table on the victim device
- Use test VLANs — never apply in production!
📌 In summary
ARP Spoofing is an invisible but dangerous attack technique that can manipulate OT traffic. Protect your network with Layer 2 security such as DAI, IP Source Guard and proper port control.