[Orginially posted in the MD2600 newsletter. February 2001]
Recently a friend of mine was sniffing his network an noticed a higher then normal level of arp requests. He was also startled that they all came from his router. The cause of this is quiet simple and also useful to spot in network security. For the answer we need to review arp.
Arp, address resolution protocol, works as a translator between IP (Internet Protocol) address and MAC (Machine Access Code) address. This is analogous to translating your street address to a zip+9 address, or phone number to the cable and pair number.
When HostA wants to send a packet to HostB. HostA first checks if HostB is on the same net as HostA. This involves sub-netting which is outside the scope of this paper. If both hosts are on the same network, HostA will send arp packet to the whole network requesting the MAC address of HostB. After the address is known HostA starts sending "data" packets. To aid in this process, hosts have an ARP table which caches mac/ip addresses for a period of time.
If HostB is on a remote network, HostA will send the same packet but requesting the MAC address of its router. Then HostA will send the "data" packet to the router. The router in turn will request the MAC address of the next host (be it HostB or another router) via arp requests. This process continues until a router obtains the mac address of HostB and is able to send HostB the "data" packet.
This happens a billion times per "Internet experience", which results into a normal level of arp requests per host. However not everyone's Internet experience involves normal stuff like mail, chat, and web. Some people come home jump on the computer and start port-scanning random networks. So with what was just explained how arp works, let's imagine someone scanning your 36000 ports on your network which has 10 unused IP addresses.
When his scanner sends a Syn packet to an IP address that isn't used. The router, which doesn't know if the hosts is down, will send an arp request. This request will timeout and the router will return a "Host Unavailable" ICMP error, which will be ignored by most port-scanners. This will happen for each of the 36000 Syn packets to each of the 10 unused IP addresses. Hence if you monitor your Arp packets. You'll see an instant rise of 360,000 arp requests.
Although some scanners, such as Nmap, attempt to icmp ping or "tcp ping" before hammering it with packets. However, any packet sent to a host that isn't up will generate a broadcast Arp Request. So any ping sweep, port scan, unknown ip protocol packet, or tomorrow's stealth packet techniques, can be spotted. Its also interesting that since arp is a broadcast packet, that even if the "intruder" goes unnoticed by the IT Dept, any alert user can spot the activity.