You might be familiar with the concept of IP addresses. Every computer on a network has at least one. When communicating between networks, these IP addresses uniquely identify the source and destination of the network traffic so it can be delivered and responded to reliably. When communicating to a device on the same network, a computer doesn’t directly use the IP address. Instead, it translates that IP address to a MAC address. ARP is the protocol to manage IP to MAC translations and communicate this around the network.
ARP stands for Address Resolution Protocol. It is a stateless protocol that has broadcast and request-response components. ARP is primarily used in IPv4 networks, though other networking systems also use it. IPv6 networks implement ARP functionality and some additional functionality with NDP. Or Neighbour Discovery Protocol.
MAC addresses that have been identified are stored in an ARP table on each device. Each entry in the ARP table regularly expires. But can be updated passively as ARP traffic is broadcast to the network, minimizing the total amount of ARP traffic needed.
ARP Probe and Response
If a computer needs to transmit a network packet, It looks at the destination IP address. It knows it needs to send it to the router for devices in a different network. This can then direct the packet onto the right network. If the packet is intended for a device on the local network, the computer needs to know the correct MAC address to send it to.
As the first port of call, the computer will check its ARP table. This should have a list of all known devices on the local network. If the target IP and MAC address are there, it will use the ARP table to complete and send the packet. If the IP address does not have an entry in the ARP table, the computer must find out via an ARP probe.
The computer broadcasts an ARP probe to the network asking “who has <IP address>” with <IP address> replaced the relevant IP address. Every device on the network will see this message as it is a broadcast. Most will ignore it as it’s not aimed at them. But the device that has that IP address will respond with another broadcast message saying “<IP address> belongs to <MAC address>” again with <IP address> and <MAC address> replaced with their respective values. The original computer will then update its ARP table and send the packet to the intended recipient.
Note: The ARP probe response is also a broadcast. This allows all other network devices to update their ARP tables without requiring them to make identical ARP probes. This helps to minimize ARP traffic.
ARP Probe on Connection
When a computer connects to a network, it must get an IP address. This can be manually specified but is typically dynamically allocated by a DHCP (Dynamic Host Control Protocol) server. The DHCP server is generally a function of the network router but can be run by a separate device. Once a new device has an IP address, either through manual configuration or DHCP. The device must quickly verify that no other device is already using that IP address.
To do so, the device broadcasts an ARP probe packet, asking for any device using its newly assigned IP address to respond to it. The expected response is silence. No other device should react, especially in a DHCP network. After short delays, the device will broadcast the same message again a few times. This repetition helps in cases where one packet might have been dropped on the way to or from a device with a conflicting IP address. Once there have been no responses to a few ARP probes, the device can start using its new IP address. To do so, it needs to send a gratuitous ARP.
Once a device has determined that the IP address it wants to use isn’t being used, it sends a gratuitous ARP. This simply involves broadcasting to the network “<MAC address> has <IP address>.” This is typically formatted as if it were a response to a standard ARP probe, just without an ARP probe ever requesting it, hence the name “gratuitous ARP.”
Gratuitous ARP requests are also regularly sent to the network just as reminders to all other devices that the computer is still connected, online, and has its IP address.
ARP is a stateless protocol, there is no connection, and all messages are broadcast to the network at large. All devices listen to and cache ARP responses in their ARP tables. This, however, leads to a vulnerability in the system. Assuming an attacker can physically connect to the network, they can run software that maliciously broadcasts incorrect gratuitous ARP response packets. Every device on the network will see the malicious ARP packets, implicitly trust them, and update their routing tables. These now incorrect ARP tables are referred to as “poisoned.”
This could just be used to cause network issues by pointing traffic in the wrong direction. There is a worse scenario, however. If the attacker spoofs ARP packets for the router’s IP address and points them to their own device, they’d receive and be able to see all the network traffic. Assuming the device has another network connection to forward the traffic, it can take a Man in the Middle (MitM) position. This allows the attacker to perform nasty attacks such as HTTPS stripping, potentially allowing them to see and modify all network traffic.
Note: There are some protections against MitM attacks. The attacker would not be able to duplicate the HTTPS certificate of a website. Any user having the traffic intercepted should get browser certificate errors.
There are, however, many essential and unencrypted communications, especially on an internal network. This isn’t so much the case on a home network. Still, corporate networks built on Windows are particularly vulnerable to ARP spoofing attacks.
ARP stands for Address Resolution Protocol. It is used in IPv4 networks to translate IP addresses to MAC addresses as is needed in local networks. It consists of stateless request and response broadcasts. Responses, or lack thereof, allow a device to determine what MAC address is associated with an IP address or if an IP address is unused. Devices cache ARP responses to update their ARP tables.
Devices may also regularly broadcast gratuitous announcements that their MAC address is associated with their IP address. The lack of an authentication mechanism allows a malicious user to broadcast bogus ARP packets to poison ARP tables and direct traffic to themselves to perform traffic analysis or MitM attacks.