The ARP protocol has the advantages of simplicity and ease of use, but because it does not have any security mechanism, it is easy to be used by attackers. It will cause unstable network connection and cause user communication interruption; or use ARP spoofing to intercept user messages, and then illegally obtain account numbers and passwords for games, online banking, file services, and other systems, causing significant loss of benefits for the attacked.
What is ARP
Address Resolution Protocol (ARP) is a protocol used to resolve IP addresses into MAC addresses. In a local area network, when a host or other layer 3 network device has data to be sent to another host or layer 3 network device, it needs to know the other party's network layer address (that is, IP address).
But only the IP address is not enough, because the IP message must be encapsulated into a frame to be sent over the physical network. Therefore, the sender also needs to know the receiver's physical address (ie, MAC address), which requires a mapping from IP address to MAC address. ARP can resolve IP addresses to MAC addresses. An ARP table is maintained on the host or Layer 3 network device to store the relationship between the IP address and the MAC address. General ARP entries include dynamic ARP entries and static ARP entries.
Dynamic ARP entries are automatically generated and maintained by the ARP protocol through ARP messages, can be aged, can be updated by new ARP messages, and can be overwritten by static ARP entries.
ARP address resolution process:
Dynamic ARP completes address resolution through the two processes of broadcast ARP request and unicast ARP response.
First, Host_1 will look up its locally cached ARP table to determine whether it contains the ARP table entry corresponding to Host_3. If Host_1 finds the MAC address corresponding to Host_3 in the ARP table, Host_1 directly uses the MAC address in the ARP table to frame the data message and sends the data message to Host_3. If Host_1 cannot find the MAC address corresponding to Host_3 in the ARP table, it first caches the data message and sends an ARP request message in broadcast mode. As shown in the picture above, the OP field being 1 indicates that the message is an ARP request message. The source MAC address and source IP address in the ARP request packet is the MAC address and IP address of Host_1, the destination MAC address is the MAC address of all 0s, and the destination IP address is the IP address of Host_3. For details about the ARP message format, see ARP Message Format.
After Router_1 receives the ARP request message, it forwards the ARP request message to the same broadcast domain.
Hosts Host_2 and Host_3 in the same broadcast domain can receive the ARP request message, but only the requested host (ie Host_3) will process the ARP request message. Host_3 compares its own IP address with the destination IP address in the ARP request message, and when the two are the same, the following processing is performed: Store the source IP address and source MAC address (that is, the IP address and MAC address of Host_1) in the ARP request message into its own ARP table. Then send an ARP response message to Host_1 in unicast mode, and the content of the ARP response message is shown in the picture above. The OP field of 2 indicates that the message is an ARP response message, the source MAC address and source IP address are the MAC address and IP address of Host_3, and the destination MAC address and destination IP address are the MAC address and IP address of Host_1.
After Router_1 receives the ARP response message, it forwards the ARP response message to Host_1. After Host_1 receives the ARP response message, it adds the MAC address of Host_3 to its ARP table for subsequent message forwarding, and at the same time frame encapsulates the data message, and sends the data message to Host_3.
The static ARP entry is a fixed mapping relationship between the IP address and the MAC address manually established by the network administrator. Static ARP entries will not be aged, and will not be overwritten by dynamic ARP entries. Under normal circumstances, devices in the network can dynamically learn ARP entries through the ARP protocol, and the generated dynamic ARP entries can be aged and updated. However, when there is an ARP attack on the network, the dynamic ARP entries in the device may be updated to incorrect ARP entries, or they may be aged, causing abnormal communication between legitimate users. Static ARP entries will not be aged or overwritten by dynamic ARP entries, which can ensure the security of network communications. The static ARP table entry can restrict the local device to only use the specified MAC address when communicating with the peer device with the specified IP address. At this time, the attack packet cannot modify the mapping relationship between the IP address and the MAC address in the ARP table of the local device. It protects the normal communication between the local device and the opposite device. Generally, static ARP entries are configured on the gateway device.
The device actively uses its own IP address as the destination IP address to send ARP requests. This method is called gratuitous ARP. Gratuitous ARP has the following functions:
①ddress conflict detection: When the protocol status of the device interface becomes Up, the device actively sends gratuitous ARP packets. Under normal circumstances, the ARP response will not be received. If it is received, it indicates that there is an address that is duplicated with its own IP address in the network. If an IP address conflict is detected, the device will periodically broadcast a gratuitous ARP response message until the conflict is resolved.
②sed to advertise a new MAC address: The sender has changed the network card and the MAC address has changed. In order to notify other devices in the network before the dynamic ARP entry is aging, the sender can send a free ARP.
③n the VRRP backup group, it is used to notify the change of active and standby: After the change of active and standby occurs, the MASTER device will broadcast a gratuitous ARP message to notify that the change has occurred.