Address Resolution Protocol(ARP)

By:Protogenius

Overview Introduction When ARP is used? Types of ARP message ARP Message Format Example use of ARP ARP cache RARP ARP Types ARP Attacks

ARP Spoofing ARP Denial of Service

Defenses S-ARP Conclusion

Introduction low level network protocol operates at Layer 2 of the OSI model

which is usually implemented in the device drivers of network operating systems.

used by the Internet Protocol (IP), specifically IPv4, to map IP network addresses to the hardware addresses used by a data link protocol.

When ARP is Used For two hosts

on the same network and one desires to send a packet to the other

on different networks and must use a gateway/router

For a router that needs to forward a packet

for one host through another router from one host to the destination host on

the same network

Types Of Message

There are four types of ARP messages: ARP request ARP reply RARP request RARP reply

These are identified by four values in the “operation" field of an ARP message.

Format Of Message

The format of an ARP message is used to resolve remote MAC address

Example use of ARP

The figure below shows the use of ARP on the same LAN (known as "sysa") using the "ping" program

Continuation..

ARP Cache To reduce network traffic; performance

comparable to direct mapping. A table- stores mappings between MAC

addresses and IP addresses. The entries are dynamically added and

removed. Cache timeout - complete entry :20 mins;

incomplete (for nonexistent host) entry :3 mins.

Eg : to display arp cache enter : $ arp -a

Continuation ARP Cache….

1) Static ARP Cache Entries: Manually added address resolutions for a device. Permanent basis. ARP s/w utility tool to manage entries.

For devices that a given device has to communicate with on a regular basis.

Eg.: to add entry enter $ arp –s ip_address mac_address

Continuation ARP Cache….

2) Dynamic ARP Cache Entries: Added by s/w as a result of

successfully-completed past ARP resolutions. Short-lived.

Used most often. Automatic and don't require

administrator intervention.

Reverse Address Resolution Protocol(RARP)

Used by many diskless systems when bootstrapped.

Dynamically find IP address when h/w address is known.

RARP Request is broadcast to RARP server in the router to send IP address.

RARP reply is unicast . RARP packet format is same as ARP

packet. Being replaced by BOOTP & DHCP.

ARP types PROXY ARP : Process where one system responds to

the ARP request of another system. Advantage : simplicity; Disadvantage:

scalability & security. GRATUITOUS ARP : Host sends ARP request to resolve its

own IP address. Use : host can determine whether

another host is also configured with its IP address.

ARP Attacks ARP Spoofing ,ARP Denial of Service Need not send out an ARP Request to

receive an ARP Response. If a spoofed response arrives, the cache is updated Forged ARP replies Corrupting cache - poisoning

ARP Spoofing

Attacker “E” sends 2 ARP messages:

– ARP: “A” is at “E” – ARP: “B” is at “E” Traffic between “B”

and “A” routed to E” Man in the Middle

Attack, Session Hijacking

ARP Denial of Service

Attacker “E” sends 1 ARP message:

“R” is at “T” All hosts update

their caches. Unable to access

the internet as traffic routed to “T”

Related Attacks MAC Flooding

Send spoofed ARP replies to a switch at an extremely rapid rate to overflow switch’s port/MAC table

Storms-Poisoning caches with broadcast address

Mac Address Cloning

Defenses

No universal defense Static ARP entries-increases

overhead, not very practical Port security (Port Binding, MAC

Binding) Detection

ARPWatch Snort

S-ARP

S-ARP(secure ARP)Prevent ARP poisoning attacks.

Provides message authentication by using asymmetric cryptography.

S-ARP adopts Digital Signature Algorithm (DSA).

Conclusion

ARP - fundamental protocol on networks today.

abstraction between IP and MAC addressing No need to be configure to “know” MAC

addresses Replaced equipment can retain same IP

address

More changes to come

References

http://www.erg.abdn.ac.uk/users/gorry/course/inet-pages/arp.html

http://www.tcpipguide.com www.wikipedia.org www.cs.colostate.edu www.csse.monash.edu.au www.acsac.org TCP/IP illustrated http://www.security-protocols.com