NetworkJutsu

Networking & Security Services | San Francisco Bay Area

Proxy ARP

By 2 Comments

Proxy ARP (Address Resolution Protocol) is a technique in which a device, usually a router, answers ARP queries intended for another device. Cisco routers and Catalyst multilayer switches have this protocol turned on by default. This allows a misconfigured device to reach other subnet without setting a default gateway. This also pose a security problem since it will allow an attacker to issue multiple ARP requests and use up the router/switch’s resources when it tries to respond to all ARP requests in a DoS (denial of service) attack.

An example of how proxy ARP works is shown below. In this example, there are four devices – two of them are acting as routers and the other two are acting as a regular PC. The R1’s IP configuration was configured correctly, while the R4’s IP configuration was configured with incorrect subnet mask and no default gateway.

R1’s IP configuration and routing table:

R1#sh run int f0/0
Building configuration...
Current configuration : 97 bytes
!
interface FastEthernet0/0
 ip address 172.17.100.1 255.255.255.0
 duplex auto
 speed auto
end
R1#sh ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route
Gateway of last resort is 172.17.100.254 to network 0.0.0.0
     172.17.0.0/24 is subnetted, 1 subnets
C       172.17.100.0 is directly connected, FastEthernet0/0
S*   0.0.0.0/0 [1/0] via 172.17.100.254

R4’s IP configuration and routing table:

R4#sh run int f0/0
Building configuration...
Current configuration : 92 bytes
!
interface FastEthernet0/0
 ip address 172.17.99.1 255.0.0.0
 duplex auto
 speed auto
end
R4#sh ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route
Gateway of last resort is not set
C    172.0.0.0/8 is directly connected, FastEthernet0/0

Now, let’s try to ping R1 from R4. This should be successful since proxy ARP is enabled by default on Cisco routers.

R3’s show ip interface f0/0 output:

R3#sh ip int f0/0
FastEthernet0/0 is up, line protocol is up
  Internet address is 172.17.99.254/24
  Broadcast address is 255.255.255.255
  Address determined by setup command
  MTU is 1500 bytes
  Helper address is not set
  Directed broadcast forwarding is disabled
  Multicast reserved groups joined: 224.0.0.10
  Outgoing access list is not set
  Inbound  access list is not set
  Proxy ARP is enabled
  Local Proxy ARP is disabled
! Omitted for brevity

R4’s ping output:

R4#ping 172.17.100.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.17.100.1, timeout is 2 seconds:
..!!!
Success rate is 60 percent (3/5), round-trip min/avg/max = 40/52/60 ms

My guess on the two packets that failed were because it took a while before the router steps in to be the proxy. Once R4 has the MAC address of R1 in the ARP table any succeeding communication between them will be successful.

Now, let’s disable proxy ARP on R3 and make sure R4’s ARP table does not have R1’s IP address.

R3(config)#int f0/0
R3(config-if)#no ip proxy-arp
R3#sh ip int f0/0
FastEthernet0/0 is up, line protocol is up
  Internet address is 172.17.99.254/24
  Broadcast address is 255.255.255.255
  Address determined by setup command
  MTU is 1500 bytes
  Helper address is not set
  Directed broadcast forwarding is disabled
  Multicast reserved groups joined: 224.0.0.10
  Outgoing access list is not set
  Inbound  access list is not set
  Proxy ARP is disabled
  Local Proxy ARP is disabled
! Omitted for brevity
R4#sho ip arp f0/0
Protocol  Address          Age (min)  Hardware Addr   Type   Interface
Internet  172.17.99.254          17   c002.1704.0000  ARPA   FastEthernet0/0
Internet  172.17.100.1            8   c002.1704.0000  ARPA   FastEthernet0/0
Internet  172.17.99.1             -   c003.1704.0000  ARPA   FastEthernet0/0
R4#clear arp int f0/0
R4#sho ip arp f0/0
Protocol  Address          Age (min)  Hardware Addr   Type   Interface
Internet  172.17.99.254           0   c002.1704.0000  ARPA   FastEthernet0/0
Internet  172.17.99.1             -   c003.1704.0000  ARPA   FastEthernet0/0

Now R4 does not have the 172.17.100.1 listed in the ARP table let’s try to ping R1.

R4#ping 172.17.100.1 repeat 10
Type escape sequence to abort.
Sending 10, 100-byte ICMP Echos to 172.17.100.1, timeout is 2 seconds:
..........
Success rate is 0 percent (0/10)

As shown above, R4 is now unable to communicate with R1 when proxy ARP is disabled. This should definitely be disabled when it is not needed to harden your Cisco network devices. For more tips to harden your Cisco network devices, please visit here. I will keep adding to this list as time allows.

I hope this has been helpful and thank you for reading!

References

Cisco Proxy ARP
Basic Cisco IOS Software and Catalyst 3550 Series Security

Disclosure

NetworkJutsu.com is a participant in the Amazon Services LLC Associates Program, an affiliate advertising program designed to provide a means for sites to earn advertising fees by advertising and linking to Amazon.com.

About Andrew Roderos

I am a network security engineer with a passion for networking and security. Follow me on Twitter, LinkedIn, and Instagram.