ARP / Reverse ARP

ARP / Reverse ARP

Why This Matters

Think of ARP like a phone book for networks. You know someone's name (IP address), but you need their phone number (MAC address) to call them. ARP does the same—it maps IP addresses to MAC addresses on local networks. Switches use MAC addresses to forward frames, but applications use IP addresses, so this mapping is necessary.

This matters because networks have two addressing schemes: IP addresses (Layer 3, logical) and MAC addresses (Layer 2, physical). When a device wants to send data to another device on the same network, it needs the MAC address. ARP provides this mapping. Understanding ARP helps you understand how local network communication works.

In interviews, when someone asks "How does a device find another device on the same network?", they're testing whether you understand ARP. Do you know how ARP resolves IP to MAC? Do you understand ARP tables? Most engineers don't. They just use networks and assume they work.

What Engineers Usually Get Wrong

Most engineers think "ARP is just address mapping." But ARP involves broadcasting (asking everyone "who has this IP?"), caching (storing mappings in ARP tables), and expiration (entries expire and must be refreshed). Understanding this helps you understand ARP behavior and troubleshoot network issues.

Engineers also don't understand that ARP only works on local networks (same broadcast domain). For remote networks, routing uses IP addresses, not MAC addresses. ARP is only needed for the final hop (same network). Understanding this helps you understand network architecture.

How This Breaks Systems in the Real World

A service was experiencing network connectivity issues. Devices couldn't communicate on the same network. The problem was ARP table corruption—entries were incorrect or expired. Devices were sending frames to wrong MAC addresses. The fix? Clear ARP tables, or restart network interfaces. Understanding ARP helps you troubleshoot local network issues.

Another story: A service was vulnerable to ARP spoofing. An attacker sent fake ARP responses, claiming to have the gateway's IP but with the attacker's MAC. Traffic was redirected to the attacker. The fix? Use static ARP entries for critical devices, or use ARP spoofing detection. Understanding ARP helps you understand security vulnerabilities.

What is ARP?

ARP (Address Resolution Protocol) is a Layer 2 protocol that maps IP addresses (Layer 3) to MAC addresses (Layer 2) on the same network segment.

Why needed:

• Layer 2 uses MAC addresses: Switches forward frames based on MAC addresses
• Layer 3 uses IP addresses: Applications use IP addresses
• Mapping required: Need to translate IP → MAC for local delivery

ARP Process

ARP Request (Broadcast)

When a device needs to send data to an IP address on the same network:

1. Device checks ARP table for IP → MAC mapping
2. If not found, sends ARP REQUEST (broadcast)
   "Who has 192.168.1.100? Tell 192.168.1.50"
3. All devices on network receive broadcast
4. Device with 192.168.1.100 responds with ARP REPLY
   "192.168.1.100 is at MAC: 00:1B:44:11:3A:B7"
5. Requesting device caches mapping in ARP table

ARP Reply (Unicast)

The target device responds with its MAC address:

Source MAC: 00:1B:44:11:3A:B7 (target)
Source IP: 192.168.1.100
Destination MAC: 00:0C:29:AB:CD:EF (requester)
Destination IP: 192.168.1.50
Message: "I am 192.168.1.100, my MAC is 00:1B:44:11:3A:B7"

ARP Table

Devices maintain an ARP table (cache) of IP → MAC mappings:

IP Address        MAC Address           Type
192.168.1.1      00:1B:44:11:3A:B7    dynamic
192.168.1.100    00:0C:29:AB:CD:EF    dynamic
192.168.1.50     00:50:56:C0:00:08    static

Table types:

• Dynamic: Learned via ARP, expires after timeout (typically 2-4 minutes)
• Static: Manually configured, doesn't expire

ARP Packet Structure

ARP Header (28 bytes):
  Hardware Type: 1 (Ethernet)
  Protocol Type: 0x0800 (IPv4)
  Hardware Length: 6 (MAC = 6 bytes)
  Protocol Length: 4 (IP = 4 bytes)
  Operation: 1 (REQUEST) or 2 (REPLY)
  Sender MAC: 6 bytes
  Sender IP: 4 bytes
  Target MAC: 6 bytes (0 for REQUEST)
  Target IP: 4 bytes

Examples

Viewing ARP Table

# Linux/Mac
arp -a

# Output:
# ? (192.168.1.1) at 00:1b:44:11:3a:b7 on en0
# ? (192.168.1.100) at 00:0c:29:ab:cd:ef on en0

# Windows
arp -a

# Output:
# 192.168.1.1      00-1b-44-11-3a-b7     dynamic
# 192.168.1.100    00-0c-29-ab-cd-ef     dynamic

ARP Request Simulation

1// Send ARP request and get MAC address
2async function arpRequest(targetIP: string, interface: string = "eth0"): Promise<string | null> {
3  // Note: Requires raw socket access or network library
4  // This is a conceptual implementation
5  const arpRequest = {
6    targetIP,
7    operation: 1, // ARP REQUEST
8    broadcast: true
9  };
10  
11  // Send ARP request (broadcast)
12  const response = await sendARPPacket(arpRequest, interface);
13  
14  // Extract MAC address from response
15  if (response

ARP Table Management

1import { exec } from 'child_process';
2import { promisify } from 'util';
3
4const execAsync = promisify(exec);
5
6interface ARPEntry {
7  ip: string;
8  mac: string;
9}
10
11async function getARPTable(): Promise<ARPEntry[]> {
12  // Execute arp -a command
13  const { stdout } = await execAsync('arp -a');
14  
15  const arpEntries: ARPEntry

Gratuitous ARP

Gratuitous ARP is sent to announce an IP → MAC mapping:

1// Send gratuitous ARP to announce IP → MAC mapping
2async function sendGratuitousARP(ip: string, mac: string, networkInterface: string = "eth0"): Promise<void> {
3  // ARP packet with sender = target (gratuitous ARP)
4  const arpPacket = {
5    operation: 2, // REPLY
6    senderIP: ip,
7    senderMAC: mac,
8    targetIP: ip,
9    targetMAC: "ff:ff:ff:ff:ff:ff" // Broadcast
10  };
11  
12  // Send ARP packet
13  await sendARPPacket(arpPacket, networkInterface);
14}

Reverse ARP (RARP)

Reverse ARP maps MAC addresses to IP addresses. Used by diskless workstations to obtain their IP address.

Process:

1. Diskless workstation boots (knows MAC, not IP)
2. Sends RARP REQUEST (broadcast)
   "Who has IP for MAC: 00:1B:44:11:3A:B7?"
3. RARP server responds with IP
   "MAC 00:1B:44:11:3A:B7 has IP: 192.168.1.100"
4. Workstation configures IP address

Note: RARP is largely obsolete, replaced by DHCP (which provides more information).

ARP Spoofing / Poisoning

ARP Spoofing is an attack where an attacker sends fake ARP replies to associate their MAC with another IP.

Attack:

Attacker sends: "192.168.1.1 is at 00:AA:BB:CC:DD:EE" (attacker's MAC)
Victim updates ARP table: 192.168.1.1 → attacker's MAC
Victim sends traffic to attacker instead of router

Prevention:

• Static ARP entries: Manually configure critical IP → MAC mappings
• ARP inspection: Switches validate ARP packets
• DHCP snooping: Validate DHCP responses
• Network segmentation: Limit broadcast domains

Common Pitfalls

• ARP table expiration: Dynamic entries expire, causing delays. Fix: Use static entries for critical devices
• ARP spoofing: Fake ARP replies redirect traffic. Fix: Use ARP inspection, static entries for gateways
• Broadcast storms: Too many ARP requests. Fix: Optimize ARP cache, reduce network size
• Not understanding ARP scope: ARP only works on same network segment. Fix: Use routing for different networks
• MAC address changes: Virtual machines, network adapters change MACs. Fix: Update ARP table, use DHCP
• ARP table overflow: Too many entries consume memory. Fix: Set appropriate timeout, limit table size

Interview Questions

Beginner

Q: What is ARP and why is it needed?

A:

ARP (Address Resolution Protocol) maps IP addresses to MAC addresses on local networks.

Why needed:

• Layer 2 uses MAC addresses: Switches forward frames based on MAC addresses
• Layer 3 uses IP addresses: Applications use IP addresses
• Mapping required: Need to translate IP → MAC for local delivery

Process:

1. Device wants to send to 192.168.1.100
2. Checks ARP table: Is IP → MAC mapping cached?
3. If not, sends ARP REQUEST (broadcast)
   "Who has 192.168.1.100?"
4. Device with 192.168.1.100 responds
   "192.168.1.100 is at MAC: 00:1B:44:11:3A:B7"
5. Requesting device caches mapping
6. Sends frame using MAC address

Example:

Device A (192.168.1.50) wants to send to Device B (192.168.1.100)
1. ARP REQUEST: "Who has 192.168.1.100?"
2. ARP REPLY: "192.168.1.100 is at 00:1B:44:11:3A:B7"
3. Device A sends frame to 00:1B:44:11:3A:B7

Intermediate

Q: Explain ARP spoofing. How does it work and how can you prevent it?

A:

ARP Spoofing (Poisoning) is an attack where an attacker sends fake ARP replies to associate their MAC address with another device's IP address.

How it works:

1. Attacker sends fake ARP REPLY:
   "192.168.1.1 (router) is at 00:AA:BB:CC:DD:EE" (attacker's MAC)

2. Victim updates ARP table:
   192.168.1.1 → 00:AA:BB:CC:DD:EE (attacker's MAC)

3. Victim sends traffic to attacker instead of router
   - Attacker can intercept, modify, or forward traffic
   - Man-in-the-middle attack

Prevention:

1. Static ARP Entries

   # Manually configure critical IP → MAC mappings
   arp -s 192.168.1.1 00:1B:44:11:3A:B7
   

2. ARP Inspection (Switch Feature)

   • Switches validate ARP packets
   • Compare with DHCP snooping database
   • Drop invalid ARP packets

3. DHCP Snooping

   • Validates DHCP responses
   • Builds trusted database of IP → MAC mappings
   • Used with ARP inspection

4. Network Segmentation

   • Limit broadcast domains
   • Reduce attack surface
   • Isolate critical devices

5. Monitoring

   • Detect duplicate IP addresses
   • Alert on ARP table changes
   • Monitor for suspicious ARP activity

Senior

Q: Design a network monitoring system that detects ARP spoofing attacks in real-time. How do you identify malicious ARP packets and prevent them?

A:

1class ARPSpoofingDetector {
2  private arpTable: Map<string, ARPEntry>;
3  private dhcpDatabase: Map<string, string>; // IP → MAC from DHCP
4  private alerts: AlertSystem;
5  private packetCapture: PacketCapture;
6  
7  constructor() {
8    this.arpTable = new Map();
9    this.dhcpDatabase = new Map();
10    this.alerts = new AlertSystem();
11    this.packetCapture

Features:

1. Real-time monitoring: Capture and analyze ARP packets
2. Duplicate IP detection: Same IP, different MAC
3. DHCP validation: Compare ARP with DHCP database
4. Rate limiting: Detect suspicious ARP activity
5. Gratuitous ARP validation: Validate gratuitous ARP packets
6. Automated blocking: Block malicious ARP packets
7. Static ARP enforcement: Enforce static entries for critical devices
8. Alerting: Real-time alerts with recommendations

• IP Addressing (IPv4/IPv6) - ARP resolves IP addresses to MAC addresses, understanding IP addressing explains ARP's purpose

• DHCP Flow - DHCP assigns IP addresses, ARP resolves them to MAC addresses, understanding both explains network configuration

• OSI Model (7 Layers) - ARP operates at Layer 2 (Data Link) but resolves Layer 3 (Network) addresses, understanding the OSI model provides context

• Subnetting & CIDR - ARP works within subnets, understanding subnetting explains ARP's scope limitations

• Routing Protocols (OSPF/BGP) - ARP resolves addresses for routing, understanding ARP helps understand routing behavior

• ARP: Maps IP addresses to MAC addresses on local networks

• ARP process: REQUEST (broadcast) → REPLY (unicast) → Cache in ARP table

• ARP table: Cache of IP → MAC mappings (dynamic expires, static permanent)

• Reverse ARP: Maps MAC to IP (obsolete, replaced by DHCP)

• ARP spoofing: Fake ARP replies redirect traffic (man-in-the-middle)

• Prevention: Static ARP entries, ARP inspection, DHCP snooping, network segmentation

• Detection: Monitor for duplicate IPs, MAC mismatches, suspicious rates

• Best practices: Use static entries for gateways, monitor ARP table, validate against DHCP