Address Resolution Protocol and its Security
ARP is used when?
A new node is added to a LAN or two nodes in a LAN haven't communicated recently.
Address Resolution Protocol (ARP)
A protocol or procedure that connects an ever-changing Internet Protocol address to a fixed physical machine address, also known as a MAC address, in a local area network.
ARP Cache
A table where the MAC addresses of devices are stored for future.
The sender is a host and wants to send a packet to another host on the same network. How would you accomplish this using ARP?
Use ARP request to find another host's physical address.
The sender is a router that has received a datagram destined for a host in the same network?
Use ARP request to find this host's physical address.
ARP Spoofing can be prevented by?
Using a VPN, Static ARP or Packet filtering
Why do we need ARP? What would happen without ARP in place (no known MAC address)?
We wouldn't be able to send packets to specific devices, and no communications other than broadcasting messages on every LAN. This would cause huge performance and packet overload on networks leading to a lack of communication between devices.
ARP works between what layers?
Data link layer, Network Layer
How does a VPN prevent ARP spoofing?
Devices connect through an encrypted tunnel which makes all communication encrypted. Worthless for ARP spoofing attackers.
ARP Spoofing can be used to perform what types of attacks?
DoS or MiTM
ARP messages are directly?
Encapsulated by a link layer protocol.
Manual (static) ARP Entries
Entries in the ARP cache manually rather than using ARP request and reply.
MAC address
Establishes and terminates a connection between two physically connected devices so that data transfer can take place.
ARP Packet Format?
Hardware Type, Protocol Type, Hardware Length, Protocol Length, Operation, Sender Hardware Address, Sender Protocol Address, Target Hardware Address, Target Protocol Address.
Protocol Type
Specifies the internetwork protocol for which the ARP request is intended (for IPv4, value is 0x0800)
Hardware Type
Specifies the network link protocol type (example ethernet = 1)
Operation
Specifies the operation that the sender is performing (1 for request, 2 for reply)
ARP translates?
The 32-bit address (IPv4) to 48 (MAC) and vice versa.
What layer is ARP at? Why?
ARP Packets are not routable, nor do they have IP headers. ARP is a broadcast frame that is sent on the layer 2 segments. ARP operates only at L2 but "provides services" to L3.
ARP poison routing or ARP cache poisoning
ARP Spoofing
ARP Spoofing attacker must have?
Access to the network to scan the network to determine IP addresses of at least two devices.
ARP messages are never routed?
Across internetworking nodes.
ARP Request is an unauthenticated request meaning that?
Any device can reply freely and state that it is the owner of that IP address.
ARP Request
Broadcasting a packet over the network to validate whether we came across the destination MAC address or not.
Each node has a table of?
IP to MAC address.
How does packet filtering prevent ARP Spoofing?
Identify poisoned ARP packets by seeing that they contain conflicting source information and stop them before they reach devices on your network.
ARP Cache Timeout
Indicates the time for which the MAC address in the ARP cache can reside.
Target Protocol Address
Internetwork address of the intended receiver.
Sender Protocol Address
Internetwork address of the sender.
IP address
Layer responsible for forwarding packets of data through different routers.
Hardware Length
Length of a hardware address.
Protocol Length
Length of internetwork addresses.
How does static ARP prevent ARP Spoofing?
Lets you define a static ARP entry for an IP address, and prevent devices from listening on ARP responses for that address.
ARP Response / Reply
MAC Address response that the source receives from the destination which aids in further communication of the data.
If the ARP protocol is blocked on the network switch, how would you establish the communication with the rest of the devices on LAN?
Manually assign (static ARP)
Target Hardware Address
Media address of the intended receiver
Sender Hardware Address
Media address of the sender.
ARP is what type of protocol?
Request-response protocol.
The sender is a host and wants to send a packet to another host on another network.
Sender looks at its routing table, finds the IP addresses of the next hop (router) for this destination, uses ARP IP to find the router's physical address.
Why can ARP Spoofing attacks be dangerous?
Sensitive information can be passed between computers without the victims' knowledge.
ARP Requests include?
The physical address of the sender, the IP address of the sender, and the physical address of the receiver are FF:FF:FF:FF:FF: FF or 1's, the IP address of the receiver.
The sender is a router and received a datagram destined for a host on another network?
The router checks its routing table, finds the IP address of the next router, performs ARP IP to get the MAC address of the next router.
ARP Spoofing
Type of malicious attack in which a cyber criminal sends fake ARP message to target LAN with the intention of linking their MAC address with the IP address of a legitimate device or server within the network.