Address Resolution Protocol (ARP)

Types of Address Resolution Protocol

Address Resolution Protocol (ARP) has several types, each serving a distinct purpose in network communication and device discovery:

• Request ARP: Used to map an unknown MAC address to a known IP address by broadcasting an ARP request within the local network. The destination device responds with its MAC address.
• Reply ARP: A unicast response sent by the device holding the requested IP address. It provides the MAC address directly to the requesting device.
• Proxy ARP: Enables a router to respond to ARP requests on behalf of another device, allowing hosts on different subnets to communicate as if they were on the same local network. This is useful for subnet bridging and legacy device compatibility.
• Gratuitous ARP: A device sends an unsolicited ARP broadcast to announce or update its IP-MAC mapping. Commonly used for IP conflict detection, failover systems, and updating ARP caches of other devices proactively.
• Reverse ARP (RARP): Allows a device to discover its own IP address using its known MAC address. This was historically used in disk-less workstations that lacked local storage and needed to retrieve IP configuration during network boot.
• Inverse ARP (InARP): Opposite of ARP and typically used in frame relay or MPLS networks. InARP maps a known Data Link Connection Identifier (DLCI) or virtual circuit to an IP address, supporting automatic route configuration in point-to-point connections.

Together, these ARP variations enable IP-to-MAC mapping across a range of network architectures and use cases from local discovery and subnet bridging to virtual circuit setup and IP conflict prevention.

What ARP cache is and why it’s essential for networking

Network devices rely on their ARP cache to maintain known IP-MAC associations and forward data packets efficiently. Each device, whether a switch, router, or endpoint maintains a local ARP cache that stores recently resolved mappings.

These caches speed up future communication by reducing the need for frequent ARP broadcasts. A typical ARP cache entry contains:

• IP address
• MAC address
• Timestamp of last usage
• Entry type (static or dynamic)

Dynamic vs. static ARP entries

Dynamic ARP entries are created automatically when a device resolves an address via an ARP request. These entries have a Time-To-Live (TTL) and expire after a set duration or period of inactivity.

Static ARP entries are manually configured and persist until removed. They are often used in critical systems or security contexts where the MAC-IP mapping must not change.

Managing and clearing the ARP cache

To ensure accuracy and performance:

• ARP caches should be periodically refreshed to avoid outdated or incorrect mappings.
• Network admins can manually flush the ARP cache using built-in OS or device commands (e.g., arp -d in Windows).
• Insecure or misconfigured ARP caches may be vulnerable to ARP cache poisoning, where an attacker inserts false entries to intercept or disrupt traffic.

ARP spoofing: risks, attack vectors, and defenses

ARP cache poisoning, also known as ARP spoofing, is a deceptive technique where an attacker manipulates a device’s ARP cache to associate a trusted IP address with a rogue MAC address. This allows the attacker to intercept, reroute, or modify network traffic, compromising both confidentiality and system integrity.

To execute an ARP poisoning attack:

• The attacker listens for broadcasted ARP requests.
• They respond with a forged ARP reply, falsely claiming ownership of the requested IP address.
• The victim updates its ARP cache with the malicious IP-MAC association.
• From then on, traffic meant for the original destination is redirected to the attacker's device.

Common attacks enabled by ARP poisoning:

• Man-in-the-Middle (MITM): The attacker intercepts and modifies traffic between two devices, often without detection, allowing them to steal credentials, insert malware, or capture sensitive data.
• Denial-of-Service (DoS): Attackers flood the network with false ARP replies, causing devices to drop traffic or exhaust processing power.
• Session hijacking: By redirecting traffic, attackers can capture session cookies or authentication tokens and gain unauthorized access to apps or systems.
• DHCP starvation: By spoofing multiple MAC addresses and rapidly requesting DHCP leases, attackers can exhaust the IP pool, disrupting normal network access.
• Data exfiltration: Traffic rerouted through a rogue device can be logged and exported without users’ knowledge.

Why ARP spoofing is a serious threat in modern enterprise networks

With the rise of BYOD, IoT, and shadow IT, unmanaged or rogue devices can easily enter enterprise networks and exploit ARP spoofing to initiate more complex attacks. These threats are particularly severe in flat Layer 2 environments or when VLAN segmentation and monitoring are poorly configured.

How to defend your network against ARP spoofing:

• Dynamic ARP Inspection (DAI): Validates ARP packets against DHCP snooping bindings or manually set IP-MAC pairs.
• Network Access Control (NAC): Restricts network access to authenticated and authorized devices only.
• ARP Monitoring Tools:
  • arpwatch and XArp: Monitor ARP activity and alert admins to anomalies.
  • OpUtils’ ARP spoofing detection tool: Helps identify mismatches between known IP-MAC bindings.
• Port Security & ACLs: Limit the number of devices per port and block suspicious traffic.
• Encryption & VPNs: Add a layer of protection even if traffic is intercepted.
• Machine learning-based detection: Advanced solutions use anomaly detection algorithms like auto encoders or clustering models to detect unusual ARP patterns and spoofing attempts.

ARP cache poisoning remains one of the most stealthy and dangerous local network attacks. Deploying ARP inspection tools, enforcing access controls, and continuously monitoring ARP behavior are essential for protecting modern IP networks.

Implementation and configuration of ARP

Configuring Address Resolution Protocol (ARP) behavior is essential for maintaining accurate IP-MAC mappings, improving performance, and defending against spoofing attempts. Network admins can configure static entries, tune cache timeouts, and deploy ARP security tools across platforms.

Static ARP configuration

In environments where ARP spoofing risks are high or where critical systems must have persistent MAC mappings, static ARP entries can be manually set.

Cisco IOS example:

arp 192.168.1.10 00-1B-44-11-3A-B7 ARPA

This ensures the IP address always resolves to the correct MAC address and isn’t overridden by unsolicited ARP replies.

ARP timeout tuning:

interface FastEthernet0/0    arp timeout 600

Reducing or increasing ARP cache timeout values can help optimize resolution behavior depending on network stability.

Viewing ARP entries on Windows and Linux

In Windows:

arp -a

In Linux:

ip neigh show cat /proc/net/arp

Admins can use these commands to monitor and verify IP-MAC mappings in real time.