Hello, you are using an old browser that's unsafe and no longer supported. Please consider updating your browser to a newer version, or downloading a modern browser.

Global Accelerated Learning • Est. 1999
Glossary Term GARP

Training Camp • Cybersecurity Glossary

What is GARP?

Gratuitous ARP: an unsolicited ARP announcement a device sends for its own IP to update neighbors' caches, used for failover but also a spoofing risk.

Glossary > Network Security > GARP

GARP — Gratuitous ARP: an unsolicited ARP announcement a device sends for its own IP to update neighbors' caches

Understanding GARP

GARP (Gratuitous ARP) is a special, unsolicited Address Resolution Protocol message in which a device announces the mapping of its own IP address to its own MAC address, without any host having requested it. Other devices on the local network use it to update their ARP caches, keeping IP-to-MAC mappings current and detecting conflicts. (GARP is short for Gratuitous ARP, not a distinct protocol named Gratuitous Address Resolution Protocol.)

A gratuitous ARP is typically sent as an ARP request (or sometimes a reply) where the sender's IP and the target IP are the same, the device's own address. Devices on the broadcast domain that hear it refresh or create the corresponding ARP entry. This is used legitimately to detect duplicate IP addresses at startup and, crucially, to support failover: when a virtual IP moves to a new node, the new owner sends a gratuitous ARP so switches and hosts immediately redirect traffic to the new MAC address.

This matters for security because the same unsolicited, trust-on-faith behavior that makes GARP useful also makes it abusable. ARP and gratuitous ARP have no authentication, so an attacker on the local segment can send forged gratuitous ARP messages claiming to own a victim's or gateway's IP, poisoning neighbors' caches and redirecting traffic through the attacker, the basis of ARP spoofing and man-in-the-middle attacks. Mitigations include Dynamic ARP Inspection (DAI), DHCP snooping, and port security on switches.

For example, a high-availability firewall pair shares a virtual IP for the default gateway. When the primary fails, the standby takes over the VIP and immediately broadcasts a gratuitous ARP announcing that the gateway IP now maps to the standby's MAC; switches and hosts update their tables and traffic continues within seconds. An attacker could mimic this by broadcasting a gratuitous ARP claiming the gateway IP maps to the attacker's MAC, silently inserting themselves into the traffic path until Dynamic ARP Inspection or static ARP entries block the forged announcement.

Learn More About GARP:

Ready to Get Certified?

Turn knowledge into credentials with our instructor-led cybersecurity boot camps.

View All Courses →