How ARP and ARP Spoofing Work

To find the hardware address, the host sends out an ARP request using the hardware broadcast address. A frame with the hardware broadcast address reaches every network interface on the local network, and each host on the local network has its operating system interrupted by the network interface. The ARP request is essentially asking the question, “What is the hardware address corresponding to the IP address I have here?” Typically, only the host with the matching IP address sends an ARP reply and the remaining hosts ignore the ARP request. The ARP request contains the IP address of the sender of the request and reaches all hosts via a broadcast.

Other hosts could potentially store the association between the hardware address and IP address of the sender of the request for future reference. The target of the request certainly would store the association. It will almost certainly send an IP datagram in reply to the IP datagram it is about to receive. The reply will require knowing the association between the IP address and the hardware address of the sender of the ARP broadcast.

The association between the hardware address and the IP address of other machines on a network is stored in an ARP cache on each host. When an IP datagram is about to leave a host, the host consults the ARP cache to find the destination hardware address. If the host finds an entry for the IP destination address, it need not make an ARP request. The entries in an ARP cache expire after a few minutes.

Thus, when the ARP cache entry for a machine expires, an ARP request goes out to refresh the entry. No reply comes back if the target machine goes down. The entries for its interface’s hardware will disappear from the ARP caches in the other machines on the network. The other machines will be unable to send out IP datagrams to the downed system after the ARP cache entries expire. Before that point in time, IP datagrams are sent out but are not received. When the machine comes back up, it will again be able to reply to ARP requests. If someone replaces its interface, the now up and running machine will have a new hardware address and will use that new hardware address in ARP replies. ARP caches throughout the network will reflect the change, and IP datagrams go out using the new hardware address.

Because you expect the IP address to hardware address association will change over time, the potential exists that the change may be legitimate. Sometimes it is purely accidental. Someone may inadvertently assign a machine the same IP address held by another machine. On personal computers or special purpose devices such as network printers or X Window System terminals, the end user typically has access to a dialog box, command, or text file that sets the IP address.

On multiuser systems, the system administrator is typically the only one who can set the IP addresses of the network interface(s). This arrangement is changing, however, as more inexperienced IP-based end users with PCs set their own addresses. In addition, bureaucracies often separate system administrators and network administrators that use the same network. Under such circumstances it is common for two machines to end up with the same IP address. Duplication can occur by copying the network configuration from one personal computer to another without the end user knowing the need for IP addresses to be unique. Duplication can also occur if system administrators on a network do not work together when configuring system addressing.

When two machines end up with the same IP address, both of them will naturally reply to an ARP request for that address. Two replies to the request come back to the host that originated the request. These replies will arrive in rapid succession, typically separated by at most a few milliseconds. Some operating systems will not realize anything is wrong and simply file each reply in the ARP cache with the slowest response remaining in the ARP cache until the entry for that IP address expires. Other operating systems will discard ARP replies that correspond to IP addresses already in the cache. These may or may not bother to check if the second reply was a harmless duplicate or an indication an ARP spoof may be underway.

Thus, depending on the mechanism used to process duplicate ARP replies, if a spoofer wants to be the target of the IP datagrams being sent to a particular IP address from a particular host, it needs to make sure it is either the first or the last to reply to ARP requests made by that particular host. An easy way to be first or last is to control the only machine that replies to the ARP requests. An attacker can simply use a machine assigned, via the normal operating system configuration mechanisms, the same IP address as a machine that is currently not working. An attacker attempting to masquerade his or her machine can simply turn off the legitimate machine. The attacker does not need to have direct access to the power switch on the machine. The machine can be turned off either by unplugging it or flipping the appropriate circuit breaker.

An alternative to disconnecting its power is to disconnect it from the network at some point in the network wiring scheme. Third, the attacker can change the legitimate machine’s IP address and leave it turned on if he or she can reconfigure the machine. Doing so is less likely to draw attention or result in confusion from the machine’s user or administrator.