ARP Part 1 | Defined

ARP Defined

ARP Threat Exposure: ARP Spoofing

ARP Hardening: Dynamic ARP Inspection

This post is the first in a 3 part series that describes how the Address Resolution Protocol is supposed to work, how it can be compromised and what can be done to make it resilient against attack.

How ARP is Supposed to Work

ARP is responsible for tying hardware addressing in layer 2 with corresponding network addresses in layer 3. Specifically, ARP is called on when devices need to communicate using a data link protocol, often Ethernet MAC addresses, and only the IP address is known.

For example, if a device has just joined the network by receiving a DHCP lease, it will have likely received a DNS server IP in its DHCP options. But in order to move down the stack and reach that DNS server for the first time, it uses ARP to send a broadcast to the entire LAN asking whoever is the owner of that IP address to respond with its MAC.

ARP Query Lab

The following diagrams represent a client requesting the MAC address of its DNS server:

This is the ARP request frame in Wireshark captured on the DHCP Client:

Here we can see that the administrator’s computer does not yet have an entry for the DNS server 172.17.4.10 in its ARP cache:

Once the DNS server receives the broadcast query and sees the question is intended for it the DNS server responds to the sender:

The DNS server’s response in Wireshark:

Now the client ARP cache does include the DNS server address 172.17.4.10:

Gratuitous ARP Lab

Under certain circumstances a network device will submit unsolicited ARP messages to the LAN to inform other devices of that sender’s MAC address. This message is a broadcast similar to the request frame except no reply is expected.

The goal of this mechanism is to deliver MAC/IP address bindings faster to devices on the network by preempting an ARP request. Often turning on a network adapter will trigger a gratuitous ARP and in this example I did just that by toggling the client’s network interface on and off to produce the gratuitous ARP.

The frame looks like this in Wireshark:

Terms of Use For Packet Orbit

By reading anything at PacketOrbit.com, you acknowledge and agree to, all of the following:

All information and software available on this site are for educational purposes only. The author is no way responsible for any misuse of the information. The website owner expressly disclaims all liability for any information presented here. The owner of this website and its posts shall not be held liable for any errors or omissions in any information or representations contained in this website, or in any of its blog entries.The website owner also expressly disclaims any liability for the current or future availability of any such information. The website owner makes no representations as to the accuracy or completeness of any information on this website or which may be found by following any link on this website. The website owner shall not be held liable for any losses, injuries, damages, claims, or causes of action from the display or use of any information on this website or in any of its blog entries. If you use the information on this website, or on any of its blog entries, you do so at your own risk.