What is: ARP (Address Resolution Protocol), ARP Cache Table, ARP Poisoning/ Broadcast Storm

In this article, let us first look at an example of what happens when two computers – CP1 & CP2 try to communicate with each other and through this example, understand what is ARP (Address Resolution Protocol) & ARP Cache Table and why they are required. We will also discuss shortly about ARP poisoning and ARP broadcast storm. It is important to understand ARP to successfully troubleshoot a network.

What happens when one computer (C1) wants to communicate with another computer (C2) in a LAN segment?

When it comes to the Layer 2 communications between networked systems, IP address is not used. So, within a LAN segment computers identify each other and communicate with each other using the MAC Address. So, when Computer (C1) gets the target IP address of the Computer (C2) it wants to communicate with,

  • It first looks at its own ARP cache (which is a table that contains the IP addresses and their corresponding MAC addresses for computers/ systems within a network) to see if it already has the MAC address for the computer (C2), it wants to communicate with.
  • If the MAC address of C2 is present in its ARP cache table, it can then append the message with the corresponding MAC address and send it over the network (cable, switch).
  • If the MAC address of C2 is not present in its ARP cache table, C1 will broadcast an ARP request message to all the computers / systems in the network indicating that it wants the MAC address for the IP address in its possession.
  • This ARP request is received by all the systems in the network, but only the computer with the target IP address (C2) responds to C1 with an ARP reply message, indicating its MAC address.
  • Now since C1 has both IP address and MAC address of C2, it will communicate with C2 using this information. In the process, both C1 and C2 update their ARP cache tables with the newly acquired information so that the next time the ARP broadcast message can be avoided.

What is ARP (Address Resolution Protocol)?

As you see in the above example, an ARP – Address Resolution Protocol is used to translate an IP address into MAC address. There are two type of ARP messages – ARP request that is broadcast to all the systems in a LAN segment and the ARP reply that is unicast to the requesting station alone. ARP messages contain source and destination IP addresses & MAC addresses (if available), among other information.

The Address Resolution Protocol is used within a single LAN segment and cannot be routed across a different network. An Gratuitous ARP message is broadcast to all the systems of a LAN segment when a system is just starting up or when the IP address/ MAC address of system has changed. This enables the computers in a LAN to update their ARP cache tables appropriately. This message does not solicit a response.

In IPv6, there is a protocol called Neighbor Discovery Protocol (NDP) that does the same function as the ARP in IPv4.

What is an ARP Cache / Cache Table?

Since computers cannot send broadcast messages every time they need to connect with another network device, they store the IP addresses and the corresponding MAC addresses of systems they frequently communicate with, in a table called ARP Cache table. All the systems in the LAN maintain this table. The entries in the ARP cache table are generally short lived and are updated every 15-20 minutes.

Since a LAN segment consists of a number of computing devices, some individual ARP table entries are removed if the system doesn’t communicate with certain devices for considerable amount of time. This is done mainly to limit the size of ARP cache.

What is ARP Poisoning?

The Address Resolution Protocol itself doesn’t come with any authentication / protection mechanism. So, ARP requests or/and replies can be forged by malicious systems under the control of hackers. If a forged ARP request/ reply is used to update the ARP cache of another system, the process is called ARP poisoning. This is mainly done to redirect network traffic for malicious purposes.

What is ARP broadcast storm?

The ARP traffic on a network can be around 10% of the network traffic during normal times and up to 85% of the network traffic during abnormal network conditions caused by ARP broadcast storm. Basically, ARP requests are broadcast multiple times or to multiple systems (sometimes more than thousand requests within a second) during an ARP broadcast storm thereby taking up a lot of network bandwidth and  thereby making normal network communications difficult.

This can happen due to a lot of reasons and some of them are given below:

  • ARP request for a non existent host triggers a series of ARP messages within a short interval of time. Its only eventually that ARP gives up.
  • Virus/ malware in a system can generate a lot of ARP broadcast messages in order to create a DOS type of network attack.
  • If there are loops within the network that are not prevented by using protocols like STP/ RSTP, ARP requests would be looped back and fourth between switches creating an ARP broadcast storm.
  • Incorrect router configuration, Network Interface Card/ Network Switch malfunction can also create ARP broadcast storms.

A large unsegmented network is especially susceptible to excessive ARP broadcasts/ broadcast storms and hence it is always a good practice to sub-divide a large network into various segments (using VLAN’s etc) and enable Inter-VLAN routing using Layer-3 switches. This limits the broadcast domain to a limited number of systems.

So, next time when there is a congestion in the network, you can monitor for ARP broadcast storms as well. You can use network monitoring tools like Wireshark to monitor for abnormal ARP activity.

You could stay up to date on the various computer networking/ related IT technologies by subscribing to this blog with your email address in the sidebar box that says, ‘Get email updates when new articles are published’