Security Explained  
   
 
 

ARP and ARP Poisoning Overview

This tutorial will explore the topics of ARP and ARP poisoning and provide necessary background information dealing with ARP for future tutorials.

What is ARP?

From Wikipedia.org:

"Address Resolution Protocol (ARP) is the method for finding a host's hardware address when only its IP address is known. Due to the overwhelming prevalence of IPv4 and Ethernet, ARP is primarily used to translate IP addresses to Ethernet MAC addresses.

ARP is used in four cases of two hosts communicating:

  1. When two hosts are on the same network and one desires to send a packet to the other
  2. When two hosts are on different networks and must use a gateway router to reach the other host
  3. When a router needs to forward a packet for one host through another router
  4. When a router needs to forward a packet from one host to the destination host on the same network

The first case is used when two hosts are on the same physical network (that is, they can directly communicate without going through a router). The last three cases are the most used over the Internet as two computers on the internet are typically separated by more than 3 hops.

Imagine computer A sends a packet to computer D and there are two routers, B & C, between them. Case 2 covers A sending to B; case 3 covers B sending to C; and case 4 covers C sending to D.

ARP is defined in RFC 826"

Why do we care?

To further break down the information above, an ARP request is sent when Computer A wishes to talk to Computer B, but does not know Computer B's MAC address. An ARP request is transmitted out over the LAN requesting the information. Computer B responds with the requested information in the form of an ARP reply.

It's definitely worth noting here that ARP is a stateless protocol, meaning the protocol does not keep track of requests and replies. When Computer A requests Computer B's MAC address it does not keep a record that it sent out an ARP request and in fact will accept an ARP reply at any time, accepting the information contained within blindly. Hopefully the wheels in your mind are starting to turn as to the possibilities this opens for us.

Enter ARP Poisoning :

ARP Poisoning or Spoofing is the process of sending out fake ARP replies to hosts on the LAN in order to redirect their communications (Man-in-the-Middle) or to stop communications altogether (Denial of Service). Hosts receive these spoofed ARP replies and add them to their ARP tables without question. From this point depending on your attack you have control of the LAN.

Next: Attacks based on ARP Poisoning