Bird
Raised Fist0
Interview Prepcomputer-networkseasyAmazonGoogleMicrosoftTCSInfosys

ARP - Address Resolution Protocol, ARP Cache & Spoofing

Choose your preparation mode3 modes available
SolutionTrace

Start learning this pattern below

Jump into concepts and practice - no test required

or
Recommended
Test this pattern10 questions across easy, medium, and hard to know if this pattern is strong
🎯
ARP - Address Resolution Protocol, ARP Cache & Spoofing
easyNETWORKSAmazonGoogleMicrosoft

Imagine you want to send a letter to a friend but only know their street name, not their house number. ARP helps computers find the exact 'house number' (MAC address) when they only know the 'street name' (IP address).

💡 Beginners often confuse IP addresses with MAC addresses or think ARP is a routing protocol, missing that ARP is about mapping IP to MAC within a local network segment.
📋
Interview Question

Explain what ARP (Address Resolution Protocol) is, how ARP cache works, and what ARP spoofing means. How does ARP enable communication within a local network?

Mapping between IP addresses and MAC addressesBroadcast nature of ARP requestsRole and management of ARP cacheSecurity risks due to ARP spoofing
💡
Scenario & Trace
ScenarioA computer wants to send data to another computer on the same LAN but only knows its IP address.
1. The sender checks its ARP cache for the destination IP's MAC address. 2. If not found, it broadcasts an ARP request asking 'Who has IP X? Tell me your MAC.' 3. The device with IP X replies with its MAC address. 4. The sender updates its ARP cache and sends the data frame to the resolved MAC address.
ScenarioAn attacker performs ARP spoofing to intercept traffic between two devices on the same network.
1. The attacker sends fake ARP replies associating their MAC address with the IP address of a legitimate device. 2. Victim devices update their ARP cache with the wrong MAC-IP mapping. 3. Traffic intended for the legitimate device is sent to the attacker instead, enabling man-in-the-middle attacks.
  • What happens if the ARP cache entry expires or is flushed?
  • How does ARP behave when two devices have the same IP address?
  • What if the ARP request is lost or no device replies?
  • How does ARP work across different subnets or routers?
⚠️
Common Mistakes
Confusing ARP with routing protocols

Interviewer thinks candidate lacks basic networking knowledge

Clarify that ARP resolves IP to MAC within a LAN, while routing protocols determine paths between networks

Assuming ARP works across routers or different subnets

Shows misunderstanding of ARP’s broadcast domain limitation

Explain ARP is local network only; routers use other mechanisms to forward packets

Ignoring ARP cache and its role

Candidate misses efficiency and performance aspects of ARP

Mention ARP cache stores mappings to reduce broadcast traffic and latency

Not recognizing ARP spoofing as a security threat

Interviewer doubts candidate’s awareness of real-world network vulnerabilities

Discuss how ARP spoofing poisons caches and enables man-in-the-middle attacks

🧠
Basic Definition - What It Is
💡 This level covers the fundamental purpose and role of ARP without technical details.

Intuition

ARP is a protocol that finds the physical hardware address (MAC) corresponding to a known IP address on a local network.

Explanation

ARP stands for Address Resolution Protocol. It is used within a local network to map an IP address, which is a logical address, to a MAC address, which is a physical hardware address. When a device wants to communicate with another device on the same LAN but only knows its IP address, it uses ARP to discover the MAC address. This is essential because data link layer communication requires MAC addresses. ARP works by broadcasting a request to all devices on the LAN asking who owns the IP address, and the device with that IP replies with its MAC address.

Memory Hook

💡 Think of ARP as a phone book that translates a person's name (IP) into their phone number (MAC).

Interview Questions

What is the purpose of ARP?
  • Maps IP addresses to MAC addresses
  • Enables communication within a local network
  • Uses broadcast requests and unicast replies
Depth Level
Interview Time30 seconds
Depthbasic

Covers the core concept and purpose of ARP, sufficient for quick screening questions.

Interview Target: Minimum floor - never go below this

Knowing only this will help you pass initial screening but not detailed technical rounds.

🧠
Mechanism Depth - How It Works
💡 This level explains ARP’s internal process, cache usage, and security implications expected in product company interviews.

Intuition

ARP uses broadcast requests to discover MAC addresses and stores mappings in a cache to optimize network communication, but it is vulnerable to spoofing attacks.

Explanation

When a device wants to send a packet to an IP address on the same subnet, it first checks its ARP cache, a table storing recent IP-to-MAC mappings. If the mapping is not found, it broadcasts an ARP request packet to all devices on the LAN asking 'Who has IP X?'. The device with that IP responds with an ARP reply containing its MAC address. The sender updates its ARP cache with this mapping to avoid future broadcasts. ARP cache entries have a timeout to keep mappings fresh. However, ARP is a stateless protocol and does not authenticate replies, which allows attackers to send forged ARP replies (ARP spoofing) to poison caches and intercept or redirect traffic. Defenses include static ARP entries and security protocols like Dynamic ARP Inspection.

Memory Hook

💡 ARP is like asking a crowd 'Who owns this phone number?' and writing down the answer on a sticky note for next time.

Interview Questions

How does ARP cache improve network efficiency?
  • Stores IP-to-MAC mappings to avoid repeated broadcasts
  • Entries expire after a timeout to maintain accuracy
  • Reduces network traffic and latency
What is ARP spoofing and why is it dangerous?
  • An attacker sends fake ARP replies to associate their MAC with another IP
  • Victims update their ARP cache with wrong mappings
  • Enables man-in-the-middle attacks and traffic interception
Depth Level
Interview Time2-3 minutes
Depthintermediate

Demonstrates understanding of ARP’s operational details, cache management, and security risks.

Interview Target: Target level for FAANG on-sites

Mastering this level distinguishes you from most candidates and prepares you for deeper networking discussions.

📊
Explanation Depth Levels
💡 Choose your explanation depth based on interview stage and company expectations.
LevelInterview TimeSuitable ForRisk
Basic Definition30sScreening call or initial roundsToo shallow for on-site or deep technical interviews
Mechanism Depth2-3 minutesOn-site interviews at product companiesRequires good understanding; missing details may lower score
💼
Interview Strategy
💡 Use this guide to structure your explanation clearly and confidently before every networking mock interview.

How to Present

Start with a concise definition of ARP and its purposeGive a relatable analogy or real-world exampleExplain the ARP request-reply mechanism and ARP cache roleDiscuss ARP spoofing as a security concern and mention mitigation

Time Allocation

Definition: 30s → Example: 1min → Mechanism: 2min → Edge cases: 30s. Total ~4min

What the Interviewer Tests

Checks your understanding of local network communication, protocol operation, and awareness of security vulnerabilities.

Common Follow-ups

  • What happens if the ARP cache entry expires? → The device broadcasts a new ARP request to refresh the mapping.
  • Can ARP work across different subnets? → No, ARP is limited to the local broadcast domain; routers handle inter-subnet communication.
💡 These common curveballs test if you understand ARP’s scope and cache behavior.
🔍
Pattern Recognition

When to Use

Interviewers ask about ARP when discussing local network communication, IP-to-MAC mapping, or network security.

Signature Phrases

'Explain ARP and how it works''What is ARP cache and why is it important?''Describe ARP spoofing and its impact'

NOT This Pattern When

Similar Problems

Practice

(1/5)
1. Trace the sequence of events in TCP congestion control using AIMD when packet loss is detected via triple duplicate ACKs.
easy
A. Immediately stop sending data until timeout expires
B. Reset congestion window to 1 MSS and start slow start again
C. Cut congestion window to half, then increase linearly after each ACK
D. Ignore loss and continue increasing congestion window exponentially

Solution

  1. Step 1: Identify AIMD response to triple duplicate ACKs

    On triple duplicate ACKs, TCP performs fast retransmit and fast recovery, cutting congestion window to half.

  2. Step 2: Understand congestion window growth after loss

    After halving, TCP increases congestion window linearly (additive increase) to probe for available bandwidth.

  3. Step 3: Differentiate from timeout behavior

    Timeout triggers slow start (reset to 1 MSS), not triple duplicate ACKs.

  4. Step 4: Reject ignoring loss or stopping sending

    Ignoring loss or stopping immediately are incorrect TCP behaviors.

  5. Final Answer:

    Option C -> Option C

  6. Quick Check:

    Triple duplicate ACKs -> halve cwnd -> linear increase.
Hint: Triple duplicate ACKs -> fast retransmit + halve cwnd; timeout -> slow start.
Common Mistakes:
  • Confusing timeout and triple duplicate ACK loss signals
  • Assuming exponential growth continues after loss
  • Believing TCP stops sending immediately on loss
2. In a typical web browsing session, which TCP/IP layer is primarily responsible for establishing the connection between the client and server?
easy
A. Transport Layer
B. Internet Layer
C. Application Layer
D. Network Interface Layer

Solution

  1. Step 1: Identify the role of each TCP/IP layer in connection management

    The Application Layer handles high-level protocols like HTTP, but does not establish connections itself. The Internet Layer routes packets but does not manage connections. The Transport Layer (e.g., TCP) manages connection establishment, flow control, and reliability. The Network Interface Layer deals with physical transmission.

  2. Final Answer:

    Option A -> Option A

  3. Quick Check:

    TCP's three-way handshake occurs at the Transport Layer, confirming connection establishment [OK]
Hint: Connection setup happens at Transport Layer (TCP), not Application
Common Mistakes:
  • Confusing Application Layer protocols with connection management
  • Assuming Internet Layer handles connections instead of routing
  • Thinking Network Interface Layer manages connections
3. When a TCP packet is lost during transmission, what sequence of events occurs internally before the data is successfully received?
easy
A. The sender immediately retransmits the lost packet without waiting for any signal
B. The receiver sends an acknowledgment for the last correctly received packet, triggering retransmission after timeout
C. The receiver sends a negative acknowledgment (NAK) to request retransmission of the lost packet
D. The sender continues sending new packets without retransmitting lost ones

Solution

  1. Step 1: Understand TCP reliability mechanism

    TCP uses acknowledgments (ACKs) to confirm receipt of packets.

  2. Step 2: Lost packet detection

    If a packet is lost, the sender does not receive an ACK for it within a timeout period.

  3. Step 3: Retransmission trigger

    After timeout, the sender retransmits the lost packet.

  4. Step 4: Evaluate options

    The receiver sends an acknowledgment for the last correctly received packet, triggering retransmission after timeout correctly describes the process. The sender immediately retransmits the lost packet without waiting for any signal is incorrect because retransmission waits for timeout or duplicate ACKs. The receiver sends a negative acknowledgment (NAK) to request retransmission of the lost packet is incorrect; TCP does not use NAKs. The sender continues sending new packets without retransmitting lost ones ignores retransmission, violating TCP reliability.

  5. Final Answer:

    Option B -> Option B

  6. Quick Check:

    TCP relies on ACK timeouts to detect loss and trigger retransmission.
Hint: TCP retransmits after timeout triggered by missing ACKs, not immediately or via NAKs.
Common Mistakes:
  • Believing TCP uses negative acknowledgments (NAKs)
  • Thinking retransmission happens immediately without waiting
  • Assuming sender ignores lost packets
4. Which of the following statements about reverse proxies is INCORRECT?
medium
A. Reverse proxies always cache all content to reduce backend load
B. Reverse proxies can improve security by hiding backend server details
C. Reverse proxies can perform SSL termination to offload encryption work
D. Reverse proxies distribute incoming requests among multiple backend servers

Solution

  1. Step 1: Understand reverse proxy caching

    Reverse proxies may cache some content but do not always cache all content; caching is selective based on configuration.

  2. Step 2: Other statements

    Reverse proxies hide backend details (A), perform SSL termination (C), and load balance requests (D) -- all correct.

  3. Final Answer:

    Option A -> Option A

  4. Quick Check:

    Reverse proxies do not always cache all content [OK]
Hint: Reverse proxies cache selectively, not always.
Common Mistakes:
  • Assuming reverse proxies cache everything
  • Confusing reverse proxy with CDN caching behavior
5. If a new network protocol requires encryption and compression before data transmission, which TCP/IP model layer would be the best place to implement these features to maintain compatibility and efficiency?
hard
A. Network Interface Layer, since it deals with physical transmission
B. Transport Layer, because it manages data segmentation and reliability
C. Internet Layer, as it routes packets across networks
D. Application Layer, since it handles end-user protocols and data formatting

Solution

  1. Step 1: Identify layer responsibilities relevant to encryption and compression

    Encryption and compression are data transformations related to how data is presented and formatted for applications, which fits the Application Layer's role in TCP/IP (combining OSI's Application, Presentation, and Session layers).

  2. Step 2: Why not other layers?

    Transport Layer manages segmentation and reliability, not data formatting. Internet Layer handles routing, not data content. Network Interface Layer deals with physical transmission, not data processing.

  3. Final Answer:

    Option D -> Option D

  4. Quick Check:

    Application Layer is the correct place for encryption/compression to maintain compatibility [OK]
Hint: Encryption/compression belong at Application Layer in TCP/IP
Common Mistakes:
  • Placing encryption at Transport Layer (confusing with TLS)
  • Thinking Internet Layer handles data content
  • Assuming Network Interface Layer manages data transformations