Bird
Raised Fist0
Interview Prepcomputer-networkseasyAmazonGoogleMicrosoftTCSInfosys

ARP - Address Resolution Protocol, ARP Cache & Spoofing

Choose your preparation mode3 modes available
SolutionTrace

Start learning this pattern below

Jump into concepts and practice - no test required

or
Recommended
Test this pattern10 questions across easy, medium, and hard to know if this pattern is strong
🎯
ARP - Address Resolution Protocol, ARP Cache & Spoofing
easyNETWORKSAmazonGoogleMicrosoft

Imagine you want to send a letter to a friend but only know their street name, not their house number. ARP helps computers find the exact 'house number' (MAC address) when they only know the 'street name' (IP address).

💡 Beginners often confuse IP addresses with MAC addresses or think ARP is a routing protocol, missing that ARP is about mapping IP to MAC within a local network segment.
📋
Interview Question

Explain what ARP (Address Resolution Protocol) is, how ARP cache works, and what ARP spoofing means. How does ARP enable communication within a local network?

Mapping between IP addresses and MAC addressesBroadcast nature of ARP requestsRole and management of ARP cacheSecurity risks due to ARP spoofing
💡
Scenario & Trace
ScenarioA computer wants to send data to another computer on the same LAN but only knows its IP address.
1. The sender checks its ARP cache for the destination IP's MAC address. 2. If not found, it broadcasts an ARP request asking 'Who has IP X? Tell me your MAC.' 3. The device with IP X replies with its MAC address. 4. The sender updates its ARP cache and sends the data frame to the resolved MAC address.
ScenarioAn attacker performs ARP spoofing to intercept traffic between two devices on the same network.
1. The attacker sends fake ARP replies associating their MAC address with the IP address of a legitimate device. 2. Victim devices update their ARP cache with the wrong MAC-IP mapping. 3. Traffic intended for the legitimate device is sent to the attacker instead, enabling man-in-the-middle attacks.
  • What happens if the ARP cache entry expires or is flushed?
  • How does ARP behave when two devices have the same IP address?
  • What if the ARP request is lost or no device replies?
  • How does ARP work across different subnets or routers?
⚠️
Common Mistakes
Confusing ARP with routing protocols

Interviewer thinks candidate lacks basic networking knowledge

Clarify that ARP resolves IP to MAC within a LAN, while routing protocols determine paths between networks

Assuming ARP works across routers or different subnets

Shows misunderstanding of ARP’s broadcast domain limitation

Explain ARP is local network only; routers use other mechanisms to forward packets

Ignoring ARP cache and its role

Candidate misses efficiency and performance aspects of ARP

Mention ARP cache stores mappings to reduce broadcast traffic and latency

Not recognizing ARP spoofing as a security threat

Interviewer doubts candidate’s awareness of real-world network vulnerabilities

Discuss how ARP spoofing poisons caches and enables man-in-the-middle attacks

🧠
Basic Definition - What It Is
💡 This level covers the fundamental purpose and role of ARP without technical details.

Intuition

ARP is a protocol that finds the physical hardware address (MAC) corresponding to a known IP address on a local network.

Explanation

ARP stands for Address Resolution Protocol. It is used within a local network to map an IP address, which is a logical address, to a MAC address, which is a physical hardware address. When a device wants to communicate with another device on the same LAN but only knows its IP address, it uses ARP to discover the MAC address. This is essential because data link layer communication requires MAC addresses. ARP works by broadcasting a request to all devices on the LAN asking who owns the IP address, and the device with that IP replies with its MAC address.

Memory Hook

💡 Think of ARP as a phone book that translates a person's name (IP) into their phone number (MAC).

Interview Questions

What is the purpose of ARP?
  • Maps IP addresses to MAC addresses
  • Enables communication within a local network
  • Uses broadcast requests and unicast replies
Depth Level
Interview Time30 seconds
Depthbasic

Covers the core concept and purpose of ARP, sufficient for quick screening questions.

Interview Target: Minimum floor - never go below this

Knowing only this will help you pass initial screening but not detailed technical rounds.

🧠
Mechanism Depth - How It Works
💡 This level explains ARP’s internal process, cache usage, and security implications expected in product company interviews.

Intuition

ARP uses broadcast requests to discover MAC addresses and stores mappings in a cache to optimize network communication, but it is vulnerable to spoofing attacks.

Explanation

When a device wants to send a packet to an IP address on the same subnet, it first checks its ARP cache, a table storing recent IP-to-MAC mappings. If the mapping is not found, it broadcasts an ARP request packet to all devices on the LAN asking 'Who has IP X?'. The device with that IP responds with an ARP reply containing its MAC address. The sender updates its ARP cache with this mapping to avoid future broadcasts. ARP cache entries have a timeout to keep mappings fresh. However, ARP is a stateless protocol and does not authenticate replies, which allows attackers to send forged ARP replies (ARP spoofing) to poison caches and intercept or redirect traffic. Defenses include static ARP entries and security protocols like Dynamic ARP Inspection.

Memory Hook

💡 ARP is like asking a crowd 'Who owns this phone number?' and writing down the answer on a sticky note for next time.

Interview Questions

How does ARP cache improve network efficiency?
  • Stores IP-to-MAC mappings to avoid repeated broadcasts
  • Entries expire after a timeout to maintain accuracy
  • Reduces network traffic and latency
What is ARP spoofing and why is it dangerous?
  • An attacker sends fake ARP replies to associate their MAC with another IP
  • Victims update their ARP cache with wrong mappings
  • Enables man-in-the-middle attacks and traffic interception
Depth Level
Interview Time2-3 minutes
Depthintermediate

Demonstrates understanding of ARP’s operational details, cache management, and security risks.

Interview Target: Target level for FAANG on-sites

Mastering this level distinguishes you from most candidates and prepares you for deeper networking discussions.

📊
Explanation Depth Levels
💡 Choose your explanation depth based on interview stage and company expectations.
LevelInterview TimeSuitable ForRisk
Basic Definition30sScreening call or initial roundsToo shallow for on-site or deep technical interviews
Mechanism Depth2-3 minutesOn-site interviews at product companiesRequires good understanding; missing details may lower score
💼
Interview Strategy
💡 Use this guide to structure your explanation clearly and confidently before every networking mock interview.

How to Present

Start with a concise definition of ARP and its purposeGive a relatable analogy or real-world exampleExplain the ARP request-reply mechanism and ARP cache roleDiscuss ARP spoofing as a security concern and mention mitigation

Time Allocation

Definition: 30s → Example: 1min → Mechanism: 2min → Edge cases: 30s. Total ~4min

What the Interviewer Tests

Checks your understanding of local network communication, protocol operation, and awareness of security vulnerabilities.

Common Follow-ups

  • What happens if the ARP cache entry expires? → The device broadcasts a new ARP request to refresh the mapping.
  • Can ARP work across different subnets? → No, ARP is limited to the local broadcast domain; routers handle inter-subnet communication.
💡 These common curveballs test if you understand ARP’s scope and cache behavior.
🔍
Pattern Recognition

When to Use

Interviewers ask about ARP when discussing local network communication, IP-to-MAC mapping, or network security.

Signature Phrases

'Explain ARP and how it works''What is ARP cache and why is it important?''Describe ARP spoofing and its impact'

NOT This Pattern When

Similar Problems

Practice

(1/5)
1. In a large enterprise network with frequent topology changes and a need for fast convergence, which routing algorithm is most appropriate to use?
easy
A. Distance Vector routing because it requires less memory and simpler computations
B. Link State routing because it uses periodic full routing table exchanges
C. Distance Vector routing because it avoids flooding the network with updates
D. Link State routing because it quickly propagates topology changes and converges faster

Solution

  1. Step 1: Understand the network requirements for fast convergence

    Large networks with frequent topology changes require routing algorithms that quickly adapt to changes to prevent downtime and routing loops.

  2. Step 2: Compare Distance Vector and Link State routing characteristics

    Distance Vector routing uses periodic updates and can suffer from slow convergence and count-to-infinity problems. Link State routing floods link state advertisements immediately upon topology changes and recalculates routes using Dijkstra's algorithm, leading to faster convergence.

  3. Step 3: Analyze the options

    Distance Vector routing because it requires less memory and simpler computations is incorrect because although Distance Vector requires less memory and simpler computations, it converges slower. Link State routing because it uses periodic full routing table exchanges is incorrect because Link State routing does not use periodic full routing table exchanges but floods link state changes immediately. Distance Vector routing because it avoids flooding the network with updates is incorrect because Distance Vector routing does not avoid flooding; it sends periodic updates to neighbors. Link State routing because it quickly propagates topology changes and converges faster is correct because Link State routing quickly propagates topology changes and converges faster.

  4. Final Answer:

    Option D -> Option D

  5. Quick Check:

    Link State routing is preferred in large, dynamic networks for fast convergence.
Hint: Fast convergence and frequent changes -> Link State routing
Common Mistakes:
  • Assuming Distance Vector is always simpler and better for large networks
  • Confusing periodic updates with flooding
  • Believing Link State exchanges full routing tables periodically
2. Trace the sequence of events in TCP congestion control using AIMD when packet loss is detected via triple duplicate ACKs.
easy
A. Immediately stop sending data until timeout expires
B. Reset congestion window to 1 MSS and start slow start again
C. Cut congestion window to half, then increase linearly after each ACK
D. Ignore loss and continue increasing congestion window exponentially

Solution

  1. Step 1: Identify AIMD response to triple duplicate ACKs

    On triple duplicate ACKs, TCP performs fast retransmit and fast recovery, cutting congestion window to half.

  2. Step 2: Understand congestion window growth after loss

    After halving, TCP increases congestion window linearly (additive increase) to probe for available bandwidth.

  3. Step 3: Differentiate from timeout behavior

    Timeout triggers slow start (reset to 1 MSS), not triple duplicate ACKs.

  4. Step 4: Reject ignoring loss or stopping sending

    Ignoring loss or stopping immediately are incorrect TCP behaviors.

  5. Final Answer:

    Option C -> Option C

  6. Quick Check:

    Triple duplicate ACKs -> halve cwnd -> linear increase.
Hint: Triple duplicate ACKs -> fast retransmit + halve cwnd; timeout -> slow start.
Common Mistakes:
  • Confusing timeout and triple duplicate ACK loss signals
  • Assuming exponential growth continues after loss
  • Believing TCP stops sending immediately on loss
3. Which of the following statements best explains why recursive DNS queries can increase latency compared to iterative queries?
medium
A. Recursive queries always bypass DNS caching, causing repeated full lookups.
B. Recursive queries use UDP instead of TCP, which increases packet loss and retransmissions.
C. Recursive queries are sent directly to the authoritative server, which is slower than querying root servers first.
D. Recursive queries require the DNS server to perform multiple lookups on behalf of the client, adding processing time and network hops.

Solution

  1. Step 1: Understand recursive query behavior

    Recursive DNS servers perform all necessary lookups to resolve a domain fully before responding.

  2. Step 2: Impact on latency

    This means the recursive server makes multiple network requests, adding processing and network delay.

  3. Step 3: Why other options are incorrect

    Recursive queries do use caching (A is false), do not bypass root servers (C is false), and use UDP or TCP depending on size but that is unrelated to latency increase (D is false).

  4. Final Answer:

    Option D -> Option D

  5. Quick Check:

    Recursive queries add latency due to multiple lookups -> correct
Hint: Recursive queries do more work per request, increasing latency.
Common Mistakes:
  • Believing recursive queries bypass caching
  • Thinking recursive queries contact authoritative servers first
  • Confusing transport protocols with query type
4. Which of the following statements about the TCP connection termination process is INCORRECT?
medium
A. The connection closes immediately after the first FIN packet is sent
B. Either side can initiate termination by sending a FIN packet
C. Connection termination requires four steps involving FIN and ACK packets from both sides
D. After termination, both sides enter a TIME_WAIT state to ensure all packets are received

Solution

  1. Step 1: Review TCP termination steps

    Termination involves a four-step exchange: FIN from initiator, ACK from receiver, FIN from receiver, ACK from initiator.

  2. Step 2: Analyze each statement

    Connection termination requires four steps involving FIN and ACK packets from both sides is correct describing the four-step process. Either side can initiate termination by sending a FIN packet is correct; either side can initiate. After termination, both sides enter a TIME_WAIT state to ensure all packets are received is correct; TIME_WAIT ensures delayed packets are handled. The connection closes immediately after the first FIN packet is sent is incorrect because connection does not close immediately after first FIN; it requires the full handshake.

  3. Final Answer:

    Option A -> Option A

  4. Quick Check:

    Termination is a multi-step process, not instantaneous.
Hint: Termination = 4 steps, not immediate close after FIN
Common Mistakes:
  • Assuming connection closes right after first FIN
  • Thinking only server can initiate termination
  • Ignoring TIME_WAIT state
5. If a load balancer using IP Hash algorithm encounters clients behind a NAT (Network Address Translation) device, what is a potential challenge and how can it be mitigated?
hard
A. Clients behind NAT have different IPs, causing inconsistent routing; mitigation is to disable IP Hash and use Round Robin
B. Multiple clients share the same public IP, causing all their requests to be routed to the same server; mitigation involves using additional session identifiers beyond IP
C. NAT devices block IP Hash algorithms; mitigation is to switch to Least Connections
D. IP Hash cannot detect unhealthy servers behind NAT; mitigation is to increase health check frequency

Solution

  1. Step 1: Understand NAT impact on IP Hash

    NAT causes multiple clients to share a single public IP address.

  2. Step 2: Effect on IP Hash routing

    Since IP Hash uses client IP, all clients behind the same NAT get routed to the same backend server, potentially causing load imbalance.

  3. Step 3: Mitigation strategies

    Using additional session identifiers (cookies, tokens) can differentiate clients beyond IP, improving distribution.

  4. Step 4: Why other options are incorrect

    Clients behind NAT have different IPs, causing inconsistent routing; mitigation is to disable IP Hash and use Round Robin incorrectly states clients behind NAT have different IPs; they share one. NAT devices block IP Hash algorithms; mitigation is to switch to Least Connections falsely claims NAT blocks IP Hash. IP Hash cannot detect unhealthy servers behind NAT; mitigation is to increase health check frequency confuses health checks with NAT issues.

  5. Final Answer:

    Option B -> Option B

  6. Quick Check:

    NAT causes IP Hash collisions; use extra session info to mitigate.
Hint: NAT causes IP Hash collisions; add session IDs
Common Mistakes:
  • Assuming IP Hash works perfectly behind NAT
  • Thinking NAT changes client IPs individually
  • Confusing NAT issues with health check problems