Is this type of ARP poisoning attack possible?

This is actually called ARP flooding. An infected system/malicious user sends ARP replies to all systems connected to the network, filling them with incorrect ARP entries. This causes the systems to be unable to solve MAC and IP addresses resulting in systems being unable to connect to other systems in the network.


It sounds plausible to me, though local-network denial-of-service attacks are rare simply because the offending device can be easily unplugged.

Through rather than seeing random ARP traffic, you're much more likely to see a device configured for Proxy ARP, just stealing all network traffic. This is an even easier attack to mount since most routers have the functionality already built in.

But again, it's uncommon to see DOS attacks on local networks; usually it's a matter of misconfiguration.

EDIT: In response to additional questions:

ARP packets contain the sender MAC, the destination MAC, and the target IP address (plus some bookkeeping). As with all network packets, every last bit can be spoofed. Assuming nothing malicious, you'll at least get the sender MAC address, the first few bytes of which are vendor-specific, and which you can look up to determine the vendor who made the network adapter. This could help identify the device. Of course, it can be spoofed, so don't depend on it.

As for WiFi networks, "open" unencrypted networks are something of an "anything goes" environment as far as security is concerned, so securing it is almost not worth the effort. However, if any form of encryption is enabled, then individual clients can only communicate with the router, not peer-to-peer, which means that the router can filter out noise like this.


To address the question "what countermeasures are available", dot1x authentication is probably the best way of securing the physical layer of the network. This will prevent these types of physical and data-link layer attacks by requiring hosts to authenticate to the network before they are allowed to transmit data. The switch will still see the bad mac addresses coming from the attacker but they will not reach any other switch or any of the other hosts on the network so the harm that can be done is significantly reduced. i.e. no taking over the default gateway to do MITM, etc.