ARP

From HPCWIKI
Revision as of 15:11, 5 September 2024 by Admin (talk | contribs) (→‎References)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

ARP

ARP stands for Address Resolution Protocol that use EtherType 0x0806.

ARP is broadcasted packet in the network: "Hey, who is 10.230.20.1, tell me your MAC address!", and that system replies: "I'm 10.230.20.1, my MAC address is XX:XX:XX:XX:XX:XX". Then all systems who seen this reply record in their dynamic ARP table that 10.230.20.1 is. depending on OS, the record in the table expires and resolution process repeats. Usually this is 300 seconds.

ARP spoofing[1]

ARP spoofing is also called as ARP cache poisoning, or ARP poison routing.

ARP spoofing can be used for malicious purpose using the basic ARP protocol mechanism. if malicious system replies faster than the genuine system on the same network, you might have a trouble cause all packets to/from genuine system will goes to malicious system. This is called ARP spoofing.

ARP Tables

We can put static entries into ARP (MAC to IP) table of each computer. If there is static entry for some IP address, its entry never expires, that system will never send ARP resolution request for that IP, and always will use MAC address from static entry. In Linux, it is done like this: 

ip neighbour add 192.168.1.5 lladdr 00:60:6e:10:24:a5 dev eth1
ip neighbour change 10.230.200.1 lladdr d0:14:11:40:19:e0 dev eth1

in addition to if there is already a dynamic entry in ARP tables, replace "add" with "change". We can see the table (all static and dynamic entries and the expiration status) with "ip neigh show". 

$ ip neigh show 
192.168.1.202 dev bond0 lladdr 00:19:d1:02:e2:a7 STALE
10.230.200.1 dev bond0 lladdr d0:14:11:40:19:e0 STALE
192.168.1.5 dev bond0 lladdr 00:60:6e:10:24:a5 STALE
10.230.200.8 dev bond0  FAILED
192.168.1.12 dev bond0 lladdr 3c:ec:ef:73:66:e0 DELAY
192.168.1.222 dev bond0 lladdr 00:15:58:c6:87:11 REACHABLE
192.168.1.101 dev bond0 lladdr 00:11:32:98:40:8b REACHABLE
10.230.200.22 dev bond0 lladdr 3c:ec:ef:73:66:e0 STALE
192.168.1.80 dev bond0  FAILED


To persist this during reboot, use a /etc/ethers file, i.e. put MAC addresses of important systems into that file to prevent spoofing. On Unbuntu, we can certainly create and edit /etc/ethers[2]


The more arp comand examples on this link

References

  1. https://en.wikipedia.org/wiki/ARP_spoofing
  2. https://manpages.ubuntu.com/manpages/focal/man5/ethers.5.html
Retrieved from "http://wiki.hpcmate.com/index.php?title=ARP&oldid=2089"