Table of contents
- Why ARP is essential
- What is the ARP Address Resolution Protocol
- How the Address Resolution process works
- ARP Table and ARP Cache
- Gratuitous ARP
- ARP Message Format
- ARP and security: the main risks
- ARP Spoofing and Man in the Middle
- ARP-based Denial of Service (DoS)
- Techniques to mitigate ARP attacks
- Reverse Address Resolution Protocol (RARP)
- ARP in practice: a Linux example
Why ARP is essential
Have you ever wondered how a computer converts an IP address into a MAC address to send data correctly within a network?
The answer is the ARP Address Resolution Protocol. Without it, communications in your local area network (LAN) would be impossible: IP packets would have no idea which hardware address to use to reach the destination machine.
Address resolution is the bridge that links the logical world of IP addresses to the physical layer of the network, represented by MAC addresses. In this article, we’ll explore the protocol’s operation in depth, the structure of message formats, the role of the ARP table and ARP cache, and the security risks such as man-in-the-middle (MITM) attacks and denial of service based on ARP spoofing.
What is the ARP Address Resolution Protocol
The term ARP address resolution describes the process by which a host in a local area network maps an IP address to a physical address or hardware address, namely the network card’s MAC address.
The Address Resolution Protocol (ARP) is a link-layer protocol that is fundamental for the proper functioning of Ethernet and Wi-Fi networks. When a device knows the destination machine’s IP address but not its MAC address, it sends a broadcast ARP request message. The machine with that IP address replies with an ARP response containing its MAC address, thereby enabling communication.
How the Address Resolution process works
A typical address resolution protocol ARP workflow proceeds in several stages:
- A host needs to send an IP packet to another device on the same LAN.
- It checks its ARP cache to see whether an IP-to-MAC mapping already exists.
- If no entry is found, it generates an ARP request message, broadcast to all nodes on the network.
- The host that owns the corresponding IP address replies with an ARP response containing its hardware address.
- The sender updates its ARP table with the new association and forwards the packets.
This mechanism avoids repetitive requests thanks to caching of the responses.
ARP Table and ARP Cache
Every device maintains an ARP table (or ARP cache) that contains associations between IP addresses and MAC addresses. This table is dynamic: it updates automatically with the responses received and can contain temporary or permanent entries.
- Dynamic ARP cache
Entries have a limited lifetime and expire if no longer used. - Static ARP cache
Associations are inserted manually by the administrator and remain fixed, reducing the risk of attacks but increasing management complexity.
Gratuitous ARP
A particular concept is gratuitous ARP, namely a packet sent by a host without any explicit prior request. It serves various purposes:
- Updating other devices’ ARP tables in case of an IP or MAC change.
- Checking that there are no IP address conflicts on the network.
- Announcing one’s presence on the local area network.
This type of message is also often exploited in spoofing-style attacks.
ARP Message Format
Every ARP packet has a well-defined message format, set by the standard. The main fields are:
- Hardware type
Defines the type of network (Ethernet is the most common value). - Protocol type
Identifies the upper-layer protocol (e.g., IPv4). - Hardware address length
Length of the MAC address. - Protocol address length
Length of the IP address. - Operation: specifies whether the message is an ARP request message or an ARP response.
- Sender hardware address
Sender’s MAC address. - Sender protocol address
Sender’s IP address. - Target hardware address
Recipient’s MAC (blank in requests). - Target protocol address
Recipient’s IP address.
This standardized format allows any device to interpret ARP packets correctly.
ARP and security: the main risks
The ARP protocol, while extremely useful and simple to implement, has an intrinsic weakness that makes it an ideal target for cybercriminals: it does not provide any authentication mechanism or sender identity verification. In other words, any device connected to a local area network can send ARP packets without control, arbitrarily claiming that a given IP address corresponds to its own MAC address.
This lack of validation paves the way for numerous threats, since the network relies solely on mutual trust between devices. It is enough for a malicious host to send fraudulent ARP responses for other nodes to update their ARP caches with false information. From here arise two very common and dangerous types of attack: ARP spoofing and denial of service (DoS).
ARP Spoofing and Man in the Middle
The most widespread attack linked to the address resolution protocol is ARP spoofing (or ARP poisoning). With this technique, the attacker injects counterfeit ARP packets into the network to associate their own MAC address with the IP address of another legitimate device—often the router’s gateway or a critical server.
The result is devastating: traffic that should flow to the victim is instead routed to the attacker’s machine. Once positioned “in the middle” of the communication, the attacker performs a classic man-in-the-middle (MITM). From there, they can:
- Intercept unencrypted packets and harvest credentials, emails, or credit card numbers.
- Modify data in transit, altering files, injecting malware, or changing configuration parameters.
- Selectively block traffic, preventing communication between hosts or degrading network performance.
Example
Credential theft on unsecured public Wi-Fi networks. A malicious user can forge ARP addresses, intercept HTTP connections, and log passwords or login sessions.
ARP-based Denial of Service (DoS)
Beyond interception, ARP can be leveraged to carry out a denial of service (DoS). In this case, the attacker doesn’t merely spy on data but redirects it to a non-existent IP or physical address.
The outcome is that packets are “lost” within the network, preventing the victim from communicating with other devices or with the gateway. If the attack targets the router or a switch, the entire local area network may suffer a communications blackout, making essential services—such as corporate email, VoIP, or cloud applications unavailable.
In more severe scenarios, an ARP-based DoS can be used as a diversion to hide more invasive actions, such as data theft or backdoor installation on compromised systems.
Techniques to mitigate ARP attacks
Protecting a network from address resolution protocol abuse requires a multilayered approach. Among the main strategies adopted by network administrators are:
- Static ARP entries
Manually insert IP-to-MAC associations for critical devices (servers, routers, network printers) into ARP tables. This eliminates spoofing risk for selected hosts, but it doesn’t scale well on large networks. - Dynamic ARP Inspection (DAI)
A feature available on enterprise-grade switches. The device checks every ARP request message and ARP response by comparing them against a database of valid associations (often built from DHCP snooping). If a packet doesn’t match, it is automatically blocked. - Network segmentation
Splitting the network into VLANs or subnets reduces the attack surface. Thus, even if an attacker compromises part of the network, they cannot poison the entire LAN. - VPNs and end-to-end encryption
Even if an attacker positions themselves in a man in the middle, the use of encrypted protocols (HTTPS, TLS, IPsec) makes intercepted data unintelligible. - ARP cache monitoring
Security tools can detect suspicious changes in ARP tables, for example when an IP address suddenly changes hardware address for no reason. In such cases, the system raises an alert, enabling a quick response. - ARP spoofing detection tools
Software such as Arpwatch, XArp, or IDS modules (Snort, Suricata) continuously analyze ARP traffic and flag anomalies, such as repeated gratuitous ARP or conflicts between target protocol address and physical address.
Reverse Address Resolution Protocol (RARP)
In addition to classic ARP address resolution, there is also the Reverse Address Resolution Protocol (RARP). While ARP maps IP → MAC, RARP performs the reverse operation: it associates a hardware address with its corresponding IP address.
This protocol was used primarily by diskless devices to learn their IP address at boot time. Today, it has largely been replaced by more modern protocols like BOOTP and DHCP.
ARP in practice: a Linux example
To better understand, here’s a practical example using commands available on Linux systems:
# Show the ARP table
arp -n
# Manually add an IP–MAC association
sudo arp -s 192.168.1.10 00:1A:2B:3C:4D:5E
# Remove a record from the ARP cache
sudo arp -d 192.168.1.10These commands let you manage the ARP cache directly by adding static entries or removing temporary ones.
ARP and Virtualization
In virtualized networks—such as those based on hypervisors or containers—ARP address resolution plays an even more critical role. ARP requests must be handled properly by the virtual switch to avoid conflicts and ensure that each IP address maps to the correct physical address.
In complex environments like the cloud, providers often implement advanced ARP isolation and filtering techniques to prevent internal attacks.
ARP in modern security systems
Today’s network security solutions include built-in ARP controls. Advanced firewalls and IDS/IPS systems monitor ARP packets to detect anomalies such as suspicious gratuitous ARP or sudden changes in target protocol addresses.
At the same time, next-generation protocols such as IPv6 have introduced more secure mechanisms, notably the Neighbor Discovery Protocol, which replaces ARP and adds authentication and protection features.
