ARP

As his name shows Address Resolution Protocol (ARP) is a protocol for mapping an Internet Protocol address (IP address) to a physical machine address that is recognized in the local network. 
For example, in IP Version 4, the most common level of IP in use today, an address is 32 bits long, except in Ethernet mappings. A table, usually called the ARP cache, is used to maintain a correlation between each MAC address and its corresponding IP address.
ARP provides the protocol rules for making this correlation and providing address conversion in both directions.

ARP Table

ARP was defined in 1982 by RFC 826, which is Internet Standard STD 37.

ARP is used for mapping a network address to a physical address like a MAC . ARP has been implemented with many combinations of network and data link layer technologies, like IPv4, Chaosnet or  DECnet.

In IPv6 the lenguage is sent by NDP.

HOW IT WORKS

When an incoming packet destined for a host machine on a particular local area network arrives at a gateway, the gateway asks the ARP program to find a physical host or MAC address that matches the IP address. 

The ARP program looks in the ARP cache and, if it finds the address, provides it so that the packet can be converted to the right packet length and format and sent to the machine. If no entry is found for the IP address, ARP broadcasts a request packet in a special format to all the machines on the LAN to see if one machine knows that it has that IP address associated with it. 

A machine that recognizes the IP address as its own returns a reply so indicating. ARP updates the ARP cache for future reference and then sends the packet to the MAC address that replied.

Since protocol details differ for each type of local area network, there are separate ARP Requests for Comments (RFC) for Ethernet, ATM, Fiber Distributed-Data Interface and other protocols.

The basic principle behind ARP spoofing is to exploit the lack of authentication in the ARP protocol by sending spoofed ARP messages onto the LAN.

Generally, the goal of the attack is to associate the attacker's host MAC with the IP of a target host.

When an Internet Protocol (IP) datagram is sent from one host to another in a local area network, the destination IP address must be resolved to a MAC address for transmission via the data link layer. When another host's IP address is known, and its MAC address is needed, a broadcast packet is sent out on the local network. This packet is known as an ARP request. The destination machine with the IP in the ARP request then responds with an ARP reply that contains the MAC address for that IP.

How ARP Spoof works

Network hosts will automatically cache any ARP replies they receive. Even ARP entries that have not yet expired will be overwritten when a new ARP reply packet is received. There is no method in the ARP protocol by which a host can identificate the peer from which the packet originated.

Our defence for this types of attacks is the use of static. This prevents only simple attacks and does not scale on a large network. IP address-to-Mac address mappings in local ARP cache may be statically entered so that hosts could ignore all ARP reply packets. While static provide some security agaisnt the spoofing the operating system handles them correctly, mapping of all systems in the net have to be distributed.

FOR MORE INFORMATION