Skip to content

ARP poisoning and IP spoofing


ID: MS-TA9036
Tactic: Lateral Movement
MITRE technique: T1557

Kubernetes has numerous network plugins (Container Network Interfaces or CNIs) that can be used in the cluster. Kubenet is the basic, and in many cases the default, network plugin. In this configuration, a bridge is created on each node (cbr0) to which the various pods are connected using veth pairs. The fact that cross-pod traffic is through a bridge, a level-2 component, means that performing ARP poisoning in the cluster is possible. Therefore, if attackers get access to a pod in the cluster, they can perform ARP poisoning, and spoof the traffic of other pods. By using this technique, attackers can perform several attacks at the network-level which can lead to lateral movements, such as DNS spoofing or stealing cloud identities of other pods (CVE-2021-1677).


ID Mitigation Description
MS-M9013 Restrict over permissive containers Avoid NET_RAW capability in containers which would enable sending crafted packets that perform ARP poisoning.
MS-M9028 Use CNIs that are not prone to ARP poisoning Use CNIs that are not prone to ARP poisoning.