ARP and RARP
pdf file on ARP spoofing - the urls in the pdf are out of date
http://packetstormsecurity.org/papers/protocols/intro_to_arp_spoofing.pdf
We now know how a packet is sent to a host, using a MAC address. The difficulty now is
acquiring the MAC address of the host to which we want to send the packet. The file /etc/hosts (or a name server) maps names to IP addresses, so the IP address is available to us, but the MAC address is not. This problem is addressed using ARP Address Resolution Protocol. In essence, when a system needs to send a packet to a host, it broadcasts an ARP request that is, it sends a broadcast to the MAC address ff:ff:ff:ff:ff:ff. This packet contains the IP address of the destination host. All hosts on the link-local network pick up the request and compare the IP address to their own IP address. If the IP address matches, a host sends an ARP reply back to the requesting host with its MAC address.
ARP is also used in DHCP to establish whether an IP address has already been assigned. When a DHCP client requests a dynamically allocated address (but not when it has a static address!) the DHCP server selects an IP address from its table of available dynamic addresses, then sends out ARPs on that address. If there is no response, the server assumes that the address is unused, and downloads it to the client. When an interface comes up, either at boot time, or using ifconfig, it also sends out a single ARP packet with its own MAC address and IP address. This is called the "gratuitous ARP", and any host in the local link receives this MAC and IP address and uses it to update its ARP table. Since it is an unsolicited entry, it will last only 5 minutes in the ARP table, and may not be very useful. It is, however, how a bridge or a switch establishes which systems are in which collision domain. If a second system boots with the same IP address as an existing system, its gratuitous ARP will populate the ARP tables of systems on the network, and they will direct packets to the new system.
ARP table: Once this MAC address has been returned to the requesting computer, it is stored in an ARP table, so that it can be used for the remaining transmissions. Any system which read the original ARP request, including the system sending the reply, also caches the sending hosts' MAC address, since it is likely that it will need it for replies to the sent packet. Such an entry is called "unsolicited", while a requested entry is "solicited". If an ARP entry was requested with an ARP request, it will stay in the ARP table from 18-22 minutes after the last use of the address. This number is called its "time to live"(TTL). If it was unsolicited, it will stay in the ARP table for 3-7 minutes. The time to live values can be set using ndd /dev/ip ip_ire_arp_interval <time in microseconds>, which determines the solicited TTL, and ndd /dev/arp arp_cleanup_interval <time in microseconds> which determines the unsolicited TTL.
ARP table management: The ARP table can be displayed
with netstat -pn or arp
-a. Specific entries can be
viewed with arp <hostname or IP>.
Entries can be added with arp
-s <hostname> <MAC>, which creates a permanent entry
that lasts til the next reboot, or arp
-f <filename> which reads entries into the ARP table from a
file. Both methods of adding entries
can be "published" with the addition of the keyword "pub"
at the end of the command line or file line.
If an ARP table contains a published entry, it will respond to ARP
requests for that entry. Published entries might be necessary for printers,
which cannot respond to ARP requests themselves, or for security reasons to
prevent ARP spoofing. In ARP spoofing, another computer responds with its MAC
address to a request for the MAC of the intended destination computer.
Published entries prevent ARP spoofing, since they are manually entered,
permanent and definitive. You must turn off automatic ARP updating on the
interface whose MAC you are publishing with ifconfig <interface> -arp and
manage your ARP table manually. File entries can be made static, or permanent,
but will otherwise be temporary, in which case they will be removed if not used
in 20 minutes. Entries can also be
deleted with arp -d <hostname/IP
address>. The ifconfig command can
also be used to manage the ARP table; ifconfig <interface> <local host name> flushes
all but permanent entries from the ARP table.
RARP: Reverse Address Resolution is used when a system knows its MAC address but not its IP address. This is used by diskless and JumpStart clients. When a diskless or Jumpstart client boots, it checks its MAC address and then broadcasts it in a RARP request. A server running in.rarpd (started by /etc/init.d/boot.server in run level 3 if /tftpboot exists) will pick up the request and check the file /etc/ethers for a MAC address to hostname mapping for the requesting system. If a server finds the client's MAC address in /etc/ethers, it uses the file /etc/inet/hosts to locate its IP address, which it then returns to the client.
Acronyms:
ARP/RARP Address Resolution Protocol/Reverse Address Resolution Protocol 2 protocols that work in both layer 2 and 3 of the TCP/IP model to resolve IP addresses to MAC addresses (ARP) or MAC addresses to IP addresses (RARP).
TTL Time To Live period during which entries are stored in ARP cache. They stay in the cache for 3-7 minutes if unsolicited, and 18-22 minutes if solicited.
Definitions:
arp request system knows the IP address of its destination, and sends a request on the network for the MAC address.
in.rarpd the ARP daemon, started by nfs.server, responsible for responding to RARP requests.
permanent entry - an entry added by root to the ARP table which remains until reboot.
RARP request system knows its own MAC address and sends a request to the network for its IP address.
solicited entry an entry added to the ARP table as the result of an ARP request. Time to Live is set to 20 minutes by default.
unsolicited entry an entry added to the ARP table as the result of an ARP reply. Time to Live is set to 5 minutes by default.
Commands:
arp - arp table management command
-a - show the arp table. Same as netstat -p.
-f <filename> updated the arp table from the given file. Format of
arp file: <hostname> <MAC address> <temp|pub> (temporary or published
no entry means static and unpublished).
-d <host/IP_address> - deleted the specified entry from the arp table.
-s <hostname> <MAC address> - add static (permanent) entry to ARP table.
-s <hostname> <MAC address> <pub> - add static published entry.
<hostname> - list the named host's entry in the ARP table.
snoop -v <arp|rarp> - shows arp or rarp requests.
in.rarpd -ad start in.rarpd in debug mode
netstat -pn - list the arp table (in numerical form, since n is added).
ifconfig <interface> <hostname> flushes the arp table of all but permanent entries.
ifconfig <interface> -arp - turn off ARP responses for that interface. Do this to prevent ARP spoofing. You will also need to publish a MAC on a server for the interface you turned off.
ndd /dev/ip ip_ire_arp_interval <time in milliseconds> - gets the TTL for solicited
entries in the ARP table. 20 mins by default (1,200,000 milliseconds)
ndd /dev/arp arp_cleanup_interval <time in milliseconds> - gets the TTL for unsolicited entries. 5 minutes by default (300,000 milliseconds).
ndd /dev/ip ip_ire_timer <time in milliseconds> - sets the TTL for incomplete or unknown entries. 1 minute by default.
boot net:rarp (at ok prompt) - force system to perform a boot using RARP
Files:
/etc/ethers file used by in.rarpd which contains MAC address to hostname mappings for diskless and JumpStart clients.
/etc/hosts file used by in.rarpd which contains IP address to hostname mappings.
Misc:
ARP cache flags:
P published this host will respond to requests for this MAC address even if those requests are not directed to it.
M multicast ARP entry for a multicast address.
U incomplete has IP address but not MAC address.
S static, or permanent. The entry is added by root and will stay there til reboot.
The
values listed for the arp caching parameters is milliseconds, so 60000
represents one minute. /dev/ip ip_ire_timer_interval is the caching time
for incomplete/unknown entries.