narp


Address Resolution Protocol, detailed in RFC 826, provides a simple marriage between the link layer and the network layer. For a given subnet, any host can broadcast an ARP request for another host on the same subnet. All hosts on the network receive the broadcast and answers are unauthenticated, making ARP the subject of many network attacks.

RFC 5227 expands upon the initial ARP specification by providing a new type of ARP frame, known as an ARP Probe. An ARP Probe is meant to prevent IP address collisions. When a host first wishes to use an IP address on a given network, RFC 5227 compliant operating systems must send an ARP Probe for the desired IP address. After a timeout period, the host considers the IP address unused, and is free to claim it.

During this timeout window, an attacker has the opportunity to maliciously answer the probe with a forged ARP reply. In practice, the attack looks like this:

/media/narp_diagram.svg
An implementation of this is available here for educational use only.