ARP (Address Resolution Protocol) is used to map IP addressing to MAC addresses in a local area network segment where hosts of the same subnet reside. Each device on a network has at least two addresses: a media access control (mac) address, and an Internet Protocol (IP) address. The MAC address is the address of the physical network interface card inside the device, and never changes for the life of the device. The IP address can change if the machine moves to another part of the network . ARP is used to match, or resolve , an IP address to its appropriate MAC address (and vice versa). ARP works by broadcasting a packet to all hosts attached to an Ethernet. The packet contains the IP address the sender is interested in communicating with. Most hosts ignore the packet. The target machine, recognizing that the IP address in the packet matches its own, returns an answer. ARP, a very simple protocol, consists of merely four basic message types:
ARP Request . Computer A asks the network, “Who has this IP address?
ARP Reply . Computer B tells Computer A, “I have that IP. My MAC address is 220.127.116.11
Reverse ARP Request (RARP) . Same concept as ARP Request, but Computer A asks, “Who has this MAC address?
ARP Reply . Computer B tells Computer A, “I have that MAC. My IP address is 18.104.22.168
All network devices have an ARP table, a short-term memory of all the IP addresses and MAC addresses the device has already matched together. The ARP table ensures that the device doesn’t have to repeat ARP Requests for devices it has already communicated with. ARP attack happens when someone is trying to change the ARP table of MAC and IP addresses information without authorization. By doing so, hackers can spoof his/her MAC or IP address to launch the following two types of attacks:
Denial of Service
A hacker can easily associate an operationally significant IP address to a false MAC address. For instance, a hacker can send an ARP reply associating your network router’s IP address with a MAC address that doesn’t exist. Your computers believe they know where your default gateway is, but in reality they’re sending any packet whose destination is not on the local segment, into the Great Bit Bucket in the Sky. In one move, the hacker has cut off your network from the Internet.
Man in the Middle
A hacker can exploit ARP Cache Poisoning to intercept network traffic between two devices in your network. For instance, the hacker wants to see all the traffic between your computer with IP 22.214.171.124, and your Internet router. The hacker begins by sending a malicious ARP “reply” to your router, associating his computer’s MAC address with the IP 126.96.36.199.