How does Gratuitous ARP work? In what ways is it used in network attacks

Several of us encountered the word "Gratuitous" while exploring the topic of ARP, the Address Resolution Protocol. Here is a quick review of how ARP works before explaining Gratuitous ARP.

?The ARP protocol maps IP addresses to MAC addresses within a Layer 2 broadcast domain. In this case, Host B cannot send information to Host A because it does not have the Host A's MAC address in its ARP cache. For the purpose of obtaining the MAC address associated with the IP address of Host A, Host B sends a broadcast message to all hosts in the broadcast domain. It is possible to see the ARP entries on our computers by entering the command arp -a. All hosts within the same broadcast domain receive the ARP request, and Host A responds with its MAC address.

?Let's return to the topic of what is a Gratuitous ARP, here is an explanation.

When a device sends an ARP packet without responding to a request, it is known as a gratuitous arp.

In a Gratuitous ARP, a node announces or updates its IP-MAC mapping to the entire network via a broadcast.

GARP is typically used for network HA and VIPs. As soon as the active node fails and the backup node takes over the role, it will send a GARP to all nodes informing them of the VIP's mac address.

The ideal gratuitous ARP request has the source and destination IPs set to the IPs of the machine issuing the request and the destination MAC set to ff:ff:ff:ff:ff:ff.

As we normally understand arp, some device sends an arp request and another device responds. In a gratuitous arp, the device sends a reply without responding to a request. Some devices will send gratuitous arp when they boot up, announcing their presence on the network to the rest of the network. If you change the IP address of an interface, many devices will send an arp response (gratuitous arp). When a gratuitous ARP reply is received, computers can detect IPv4 address conflicts in the network to detect duplicate addresses.

Gratuitous ARP packets have the following characteristics:

1. The packet's source and destination IP addresses are both the IP addresses of the host issuing the gratuitous ARP
2. As a broadcast, the gratuitous ARP announces or updates a node's IP to MAC mapping to the entire network with its destination MAC address (ff:ff:ff:ff:ff;ff:ff).
3. In other words, all ports on a switch will receive the packet
4. There will be no reply
5. ?To summarize, a gratuitous ARP reply is a response to which no request has been made.

Consider the topology below.?

For some technical reason, the IPv4 address of the top left computer is changed from 172.16.10.155/16 to 172.16.10.150/16.

IPv4 address changes must be informed to all other devices on the Local Area Network (LAN) because previous IPv4 address mappings from MAC addresses may be incorrect. A TCP/IP device uses gratuitous ARP to notify other devices in the Local Area Network (LAN) when its MAC address or IPv4 address changes.

The switch will flood all its connected ports with the Gratuitous ARP packet since the destination MAC address is the broadcast MAC address.?

The following screenshot shows a Gratuitous ARP packet captured by Wireshark.

?There are five reasons why gratuitous ARPs are useful:

1. Conflicts between IP addresses can be detected using them. Whenever a machine receives an ARP request containing a source IP that matches its own, it knows there is an IP conflict. When devices boot up, they send gratuitous arps to announce their presence.
2. Other machines' ARP tables are updated by them.?An IP address can be moved from one NIC to another, or from one machine to another, using Clustering Solution. IP addresses are associated with MAC addresses in ARP tables maintained by other machines. As soon as a cluster needs to move the IP to a different NIC, be it on the same machine or a different one, it reconfigures the NICs appropriately and broadcasts a gratuitous ARP reply to inform the neighboring machines of the change. The new MAC address is then added to the ARP tables of the machines receiving the ARP packet.
3. Switches are informed of the MAC address of a machine on a given port so that packets sent to that MAC address on that port will be transmitted.
4. Each time an IP interface or link goes up, the driver for that interface will send a gratuitous ARP to preload the ARP tables of all other local hosts. Consequently, a gratuitous ARP indicates that a host just had a link-up event, such as a link bounce, a machine just rebooted, or the user/sysadmin just configured the interface. Multiple gratuitous ARPs from the same host can indicate bad Ethernet hardware/cabling resulting in frequent link bounces.
5. If you have a redundant network, the following are the most important uses:

If there is a failover in the redundant network, gratuitous ARP is very important. Maintaining a constant connection with the gateway without making delays makes more sense.

Assume we are running a redundant gateway protocol such as HSRP, VRRP, or GLBP.?172.16.0.254 is the virtual IP address of R1.?Both R1 and R2 share the same virtual IP address and virtual MAC address.?All hosts will be notified about R1's virtual MAC address through Gratuitous ARP.

On port 1, the switch will update the MAC address table along with the port number and virtual MAC address.

If any failure occurs on R1 and it is no longer available to serve all hosts.?As a result, R2 becomes primary and sends gratuitous ARPs not to update the host's ARP table, but rather to update the switch's MAC address table so that it can determine which port is correctly associated with the shared MAC address (0000.0c9f.f00a).

As a result, Switch no longer has to wait for the MAC address table to expire. Once it hears Gratuitous ARP from another port, the switch will update the MAC address table immediately.

Host traffic will be redirected to R2 from all hosts and the switch will forward the frame on the correct port. We have seen how Gratuitous ARP works in a redundant network and helps switches learn the new locations of shared MAC addresses.

By using the example above, we can conclude that all other devices in the local area network (LAN) must be informed about the change in IPv4 address, since there may be MAC address to incorrect previous IPv4 address mappings inside their ARP tables. A TCP/IP device uses gratuitous ARP to notify other devices in the Local Area Network (LAN) of any changes to its MAC address or IPv4 address. The switch will flood all its connected ports with Gratuitous ARP packets since the destination MAC address is the broadcast MAC address.

What is the purpose of this Gratuitous ARP in network attacks?

It is possible to perform ARP spoofing attacks and ARP cache poisoning because ARP allows hosts to reply without having received an ARP request. Thus poisoning the ARP tables of network devices. As a result, all traffic to and from the device under attack flows through the attacker's computer and then to the router, switch, or host, a method called "man-in-the-middle attack." An ARP spoofing attack can target hosts, switches, and routers connected to your Layer 2 network by poisoning the ARP caches of systems connected to the subnet and intercepting traffic intended for other hosts on the subnet.

Consider a switch with three devices connected. Two PCs and a router. An attacker is PC2.

As the source, PC2 will send Gratuitous ARP to the router using the IP address of PC1 (spoofed) and its own MAC address. In this case, the router will believe that PC2 is actually PC1 and all packets destined for PC1 will be forwarded to PC2.

PC2 will also send a Gratuitous ARP to PC1 with its own MAC address and the router's IP address as the source. The PC1 will learn that the router is PC2 and will send all packets to it. A Man-in-the-Middle attack could be executed by PC2 forwarding those packets to the router.

To prevent ARP poisoning/spoofing attacks, network administrators can use Dynamic ARP inspection (DAI). By storing valid IP-to-MAC address bindings in the trusted DHCP snooping binding database, DAI validates Address Resolution Protocol (ARP) packets in a network.