ARP is an acronym for Address Resolution Protocol, and it is a network protocol used by IP (Internet Protocol). ARP is used to convert IP addresses into physical addresses. It is one of the most important protocols in the network layer of OSI model. The term ‘Address Resolution’ means to find the address of any computer in the network.
The early development of IP was performed on the Ethernet technology which was not authorized or standardized as IEEE 802.3. It was important to map the IP addresses to allow communication over Ethernet. Direct mapping and dynamic resolution are the two methods that could be used for resolution. Since Ethernet address is 48 bits and IP address is 32 bits, it ruled out the chance of direct mapping. The Address Resolution protocol was developed to enjoy the flexibility of dynamic resolution method.
How Does ARP Work?
The basic function of ARP is to encode the IP addresses of the target recipient through a broadcast message. To understand how ARP works, imagine four computers A, B, C and D in a local network like your house. if computer A wants to communicate with computer B, this is how it will happen:
- Computer A will check its ARP cache (to check the ARP cache run arp –an). This is to determine if the computer can map the target IP to a MAC address (computer B)
- If computer B is not on the ARP cache list, then computer A will send a message across the network to ask for the target IP address.
- Owner of the IP address responds by sending an ARP packet which contains the MAC address to computer A
- Computer A will save this MAC address into its ARP cache list and can communicate with computer B.
It was known from the very beginning of ARP that using broadcast for each datagram was an inefficient process. That is why, ARP uses cache to bind IP addresses. Refined features also arose over time to enhance the basic ARP feature set. There is also a Reverse ARP (RARP) which the host can use to discover its IP address. In this case, the host (computer A in this example) broadcasts its physical address and receives the IP address through a RARP server.
Now that we have an idea of how two computers communicate through ARP, we must know that this connection can be exploited. The ARP requests are still unauthenticated requests and can receive a response from any device. The fragile nature of this exchange allows an attacker to send an incorrect IP which will be saved in the computer’s cache list and all future information with the correct IP will be sent to the attacker instead. This process is known as ARP Spoofing or ARP cache poisoning.
How to Prevent ARP Spoofing
There are some basic best practices you can adopt to prevent an ARP cache poisoning attack.
- Virtual Private Network: A Virtual Private Network (VPN) will enable your device to connect to the internet through encryption and will make all communication worthless to understand for an attacker
- Static ARP: ARP protocol lets you define a static ARP for an IP address and secures you from attackers.
- Packet Filtering: Packet filtering solutions can efficiently identify poisonous ARP packets and stop them from spreading conflicting information.
- Spoofing Attack: To check if your current defense is working, run a spoofing attack with the help of IT and security teams. If this attack is successful, you will be able to identify the flaws in your route.
Being a standard protocol, ARP – like a few others – offer Mac address resolution and cross platform support in the background. If you’re looking to transmit data in Ethernet networks, ARP becomes indispensable because of its Ethernet frames (individual data frames), which can be sent to a destination through the hardware address.