I am trying to understand ARP and ARP cache poisoning. Will a host updates its cache if it gets an ARP response even if it didnt send a request? If yes, is there any particular reason it is designed like that?
Also I have one more question. In case of ARP cache poisoning, does the malicious host flood the network with ARP responses or respond only when some one sends out a request
Most of the time, a device will accept unsolicited ARP replies, to allow machines to notify others when the MAC address for an IP address changes. The methods of ARP cache poisoning are varied, but typically you don't have to flood the network, just send them periodically to ensure that the ARP cache doesn't expire and the other machine does an ARP request of it's own.
Will a host updates its cache if it gets an ARP response even if it didnt send a request? If yes, is there any particular reason it is designed like that?
Yes. THe idea is that for example a workstation picks up all addresses of servers even if not needing them at the moment. Especially the AP address of the gatedway of the network and local switches. This reduces network traffic in a pre-switch era because a workstation gets all that when someone ele asks. The idea is that your local broadcast domain is trusted anyway, so poisoning is not an issue, and it reduces traffic as the answer is going to be valid anyway. The trust assumption is true in any corporate network - mostly- but obviously breaks apart in hosting centers, for example.
