ARP: Difference between revisions
| Line 27: | Line 27: | ||
To persist this during reboot, use a /etc/ethers file, i.e. put MAC addresses of important systems into that file to prevent spoofing. On Unbuntu, we can certainly create and edit /etc/ethers<ref>https://manpages.ubuntu.com/manpages/focal/man5/ethers.5.html</ref> | |||
To persist this during reboot, use a /etc/ethers file, i.e. put MAC addresses of important systems into that file to prevent spoofing. On Unbuntu, we can certainly create and edit /etc/ethers<ref>https://manpages.ubuntu.com/manpages/focal/man5/ethers.5.html</ref> | |||
The more arp comand examples on [https://www.geeksforgeeks.org/arp-command-in-linux-with-examples/ this link] | |||
== References == | == References == | ||
<references /> | <references /> | ||
Latest revision as of 15:11, 5 September 2024
ARP
ARP stands for Address Resolution Protocol that use EtherType 0x0806.
ARP is broadcasted packet in the network: "Hey, who is 10.230.20.1, tell me your MAC address!", and that system replies: "I'm 10.230.20.1, my MAC address is XX:XX:XX:XX:XX:XX". Then all systems who seen this reply record in their dynamic ARP table that 10.230.20.1 is. depending on OS, the record in the table expires and resolution process repeats. Usually this is 300 seconds.
ARP spoofing[1]
ARP spoofing is also called as ARP cache poisoning, or ARP poison routing.
ARP spoofing can be used for malicious purpose using the basic ARP protocol mechanism. if malicious system replies faster than the genuine system on the same network, you might have a trouble cause all packets to/from genuine system will goes to malicious system. This is called ARP spoofing.
ARP Tables
We can put static entries into ARP (MAC to IP) table of each computer. If there is static entry for some IP address, its entry never expires, that system will never send ARP resolution request for that IP, and always will use MAC address from static entry. In Linux, it is done like this:
ip neighbour add 192.168.1.5 lladdr 00:60:6e:10:24:a5 dev eth1ip neighbour change 10.230.200.1 lladdr d0:14:11:40:19:e0 dev eth1
in addition to if there is already a dynamic entry in ARP tables, replace "add" with "change". We can see the table (all static and dynamic entries and the expiration status) with "ip neigh show".
$ ip neigh show 192.168.1.202 dev bond0 lladdr 00:19:d1:02:e2:a7 STALE 10.230.200.1 dev bond0 lladdr d0:14:11:40:19:e0 STALE 192.168.1.5 dev bond0 lladdr 00:60:6e:10:24:a5 STALE 10.230.200.8 dev bond0 FAILED 192.168.1.12 dev bond0 lladdr 3c:ec:ef:73:66:e0 DELAY 192.168.1.222 dev bond0 lladdr 00:15:58:c6:87:11 REACHABLE 192.168.1.101 dev bond0 lladdr 00:11:32:98:40:8b REACHABLE 10.230.200.22 dev bond0 lladdr 3c:ec:ef:73:66:e0 STALE 192.168.1.80 dev bond0 FAILED
To persist this during reboot, use a /etc/ethers file, i.e. put MAC addresses of important systems into that file to prevent spoofing. On Unbuntu, we can certainly create and edit /etc/ethers[2]
The more arp comand examples on this link