ARP poisoning (also called ARP spoofing) is a local-network attack where an adversary sends fake Address Resolution Protocol messages to link their own MAC address to a victim's IP address, letting them intercept, modify, or reroute traffic meant for someone else.
ARP poisoning is a trick that targets how devices find each other on a local network. ARP (Address Resolution Protocol) is the system computers use to match an IP address to a physical MAC address. The catch is that ARP trusts whatever answer it gets, with no verification. An attacker exploits that trust by flooding the network with fake ARP replies that say "this IP belongs to MY MAC address."
Once a device believes the lie, it sends its traffic to the attacker instead of the real destination. The attacker can sit in the middle (a man-in-the-middle position), quietly read the traffic, change it, or pass it along so nobody notices. This is a classic on-path attack that works because ARP has no built-in authentication. It only works on the same local network segment, so it's a LAN problem, not something an attacker pulls off from across the internet.
ARP poisoning lives in Unit 1, Introduction to Security, where you build the vocabulary for how attacks actually work. It pairs naturally with topic 1.4 (AI-Based Cybersecurity Attacks) because the defenses overlap. Objective AP Cybersecurity 1.4.B asks you to explain how to protect against attacks, and the same idea that stops AI-augmented impersonation (verify identity, don't trust a single channel, add a second factor) is exactly what defeats an attacker who's faking their identity on the network. ARP poisoning is the foundational example of why "trust but don't verify" is dangerous in any protocol.
Keep studying AP Cybersecurity Unit 1
Visual cheatsheet
view galleryDNS Poisoning (Unit 1)
These are cousins. ARP poisoning fakes the IP-to-MAC mapping on a local network, while DNS poisoning fakes the domain-name-to-IP mapping. Both attacks corrupt a lookup table so you end up talking to the attacker instead of the real machine you wanted.
AI-Powered Cyberattack (Unit 1)
ARP poisoning is the network-level version of the impersonation theme in topic 1.4. A deepfake or voice clone fakes a person; ARP poisoning fakes a machine. In both cases the attacker succeeds by getting you to trust an identity you never actually verified.
Multifactor Authentication (Unit 1)
Objective AP Cybersecurity 1.4.B highlights MFA as a defense. Even if an attacker intercepts your login traffic through ARP poisoning, a second authentication factor can stop them from actually using what they captured, the same way MFA blocks a cloned voice from accessing an account.
Expect ARP poisoning to show up in multiple-choice stems describing a scenario where traffic on a local network is being intercepted or redirected, and you have to name the attack or pick the right defense. Be ready to recognize it as a man-in-the-middle / on-path attack and to distinguish it from DNS poisoning. No released FRQ has used this term verbatim, but it supports the kind of attack-and-defense reasoning topic 1.4 rewards: identify the weakness (a protocol that trusts unverified messages), then propose a protection that adds verification. Focus on what the attack does and why authentication-style defenses stop it.
Both poison a lookup, but at different layers. ARP poisoning corrupts the IP-to-MAC mapping and only works on your local network. DNS poisoning corrupts the domain-name-to-IP mapping and can send users to fake websites from much farther away. If the scenario mentions MAC addresses or a local LAN, it's ARP; if it mentions domain names or web addresses, it's DNS.
ARP poisoning sends fake ARP replies that link the attacker's MAC address to a victim's IP address, redirecting traffic to the attacker.
It works because ARP has no authentication, so devices trust any reply they receive.
The attack only works on the same local network segment, making it a LAN-based man-in-the-middle attack.
ARP poisoning and DNS poisoning are the same idea at different layers: one fakes IP-to-MAC mappings, the other fakes domain-to-IP mappings.
Defenses center on verifying identity and not trusting a single unverified source, the same principle behind MFA in objective AP Cybersecurity 1.4.B.
ARP poisoning is a local-network attack where an adversary sends fake ARP messages to associate their own MAC address with a victim's IP address. This lets them intercept, read, or alter traffic that was meant for someone else, putting them in a man-in-the-middle position.
Yes, the two terms are used interchangeably. "Spoofing" describes faking the ARP reply, and "poisoning" describes the corrupted ARP table that results. They refer to the same attack.
ARP poisoning corrupts the IP-to-MAC mapping and only works on your local network, while DNS poisoning corrupts the domain-name-to-IP mapping and can redirect users to fake websites from much farther away. Watch the scenario: MAC addresses point to ARP, domain names point to DNS.
No. ARP poisoning only works on the same local network segment as the victim, because ARP messages don't travel across routers. An attacker has to already be on your LAN to pull it off.
Stop trusting unverified messages and add layers of verification. Tools like static ARP entries, dynamic ARP inspection, and encryption limit the damage, and the broader principle in objective AP Cybersecurity 1.4.B (verify identity and use multifactor authentication) keeps an attacker from using whatever they intercept.
Connect this key term to the AP exam workflow: review the course, practice questions, and check related study tools.