What is Address Resolution Protocol Spoofing?

Address Resolution Protocol, or ARP (Address Resolution Protocol), is a TCP / IP protocol that obtains physical addresses based on IP addresses. When the host sends information, it broadcasts the ARP request containing the target IP address to all hosts on the local area network, and receives a return message to determine the physical address of the target; after receiving the return message, the IP address and physical address are stored in the machine The ARP cache is kept for a certain period of time, and the next time the ARP cache is directly queried to save resources. The address resolution protocol is based on the trust of each host in the network. Hosts on the local area network can send ARP response messages on their own. When other hosts receive the response message, they will not detect the authenticity of the message and will send it. It is recorded in the local ARP cache; thus, an attacker can send a fake ARP response packet to a host, so that the information it sends cannot reach the expected host or the wrong host, which constitutes an ARP spoof. The ARP command can be used to query the correspondence between IP addresses and MAC addresses in the local ARP cache, and add or delete static correspondences. Related protocols include RARP and proxy ARP. NDP is used to replace the address resolution protocol in IPv6.

Address Resolution Protocol by the Internet Engineering Task Force (

RARP ARP RARP

RARP query process [2]
The address resolution protocol is a protocol for obtaining a physical address based on an IP address, and the reverse address translation protocol (RARP) is a protocol for a physical machine on a local area network to request an IP address from the ARP table or cache of the gateway server based on the MAC address. The agreement is the opposite. Compared with ARP, RARP has the opposite workflow. The first is that the query host sends a RARP Request broadcast packet to the network, and queries other hosts for their own IP address. At this time, the RARP server on the network will send the IP address of the sender to the querier with a RARP Reply packet, so that the query host will obtain its own IP address. [8]

ARP ARP proxy ARP

Proxy ARP [2]
The address resolution protocol works on one network segment, while proxy ARP (also known as promiscuous ARP [9-10] ) works between different network segments, which are generally used by devices like routers , Used to replace the host on another network segment to answer the ARP request of the host on this network segment.
For example, host PC1 (192.168.20.66/24) needs to send a packet to host PC2 (192.168.20.20/24), because host PC1 does not know the existence of the subnet and is on the same main network segment as the target host PC2, so host PC1 Will send ARP protocol request broadcast message requesting MAC address of 192.168.20.20. At this time, the router will recognize that the destination address of the packet belongs to another subnet (note that the router's interface IP address is configured with a 28-bit mask), so it will reply to the requesting host with its own hardware address (0004.dd9e.cca0 ). After that, PC1 sends the data packets sent to PC2 to the MAC address 0004.dd9e.cca0 (the router's interface E0 / 0), and the router forwards the data packets to the target host PC2. (The router will then do the same proxy sending of data packets for PC2). The proxy ARP protocol makes the subnetted network topology transparent to the host (or it can be said that the router deceived the source host PC1 with an unreal PC2 MAC address). [11]

NDP ARP NDP

The address resolution protocol is an essential protocol in IPv4, but there will no longer be an address resolution protocol in IPv6. In IPv6, the function of the address resolution protocol will be implemented by NDP (Neighbor Discovery Protocol). It uses a series of IPv6 control information packets (ICMPv6) to implement the interactive management of neighboring nodes (nodes on the same link). , And maintain the mapping between the network layer address and the data link layer address in a subnet. There are five types of information defined in the neighbor discovery protocol: router advertisement, router request, route redirection, neighbor request, and neighbor advertisement. Compared with ARP, NDP can implement router discovery, prefix discovery, parameter discovery, automatic address configuration, address resolution (instead of ARP and RARP), next hop determination, neighbor unreachability detection, duplicate address detection, redirection, and more. .
Difference between NDP and ARP
  • The address resolution protocol in IPv4 is an independent protocol, which is responsible for the conversion of IP address to MAC address. Different address resolution protocols must be defined for different data link layer protocols. NDP in IPv6 includes the function of ARP, and runs on the Internet Control Information Protocol ICMPv6, which is more general, includes more content, and is applicable to various data link layer protocols;
  • The address resolution protocol and ICMPv4 router discovery and ICMPv4 redirect messages are based on broadcasts, while NDP neighbor discovery messages are based on efficient multicast and unicast. [12]

IN OTHER LANGUAGES

Was this article helpful? Thanks for the feedback Thanks for the feedback

How can we help? How can we help?

RELATED ARTICLES