When the backup server is brought into operation it sets up an interface with the IP address of the server it is to back up. Again this can be an additional physical interface or an IP alias. The backup server then uses ARP spoofing for the duration of its operation to ensure that it receives all packets directed to the server it is backing up.
The spoofed ARP packets that are sent announce the hardware address of the backup server that has an interface for the now lame server's IP address. These ARP packets are addressed to the broadcast hardware addresses. This is known as a Gratuitous ARP as a machine makes an ARP request for its own IP address.
ARP is central to the functioning of a LAN as it enables the hardware address of a machine to be found given its IP address. Once the hardware address of a machine is know packets can be sent to it over the LAN. Machines keep a cache of hardware to IP address mappings so that a fresh ARP request doesn't need to be sent out for each IP packet. The hardware address in the most recent ARP reply for a given IP address will be used. Hence by using Gratuitous ARP it is possible to force this cache to be flushed, redirecting IP packets to a different hardware address and hence in this case a different machine.
It is important that the ARP packets are sent frequently enough that the ARP cache of other boxen on the LAN does not expire. If the ARP cache did expire then an ARP request for the hardware address of the lame server would be issued. If the lame server is in a state where it is able to answer ARP requests then a race condition would be created between the lame server and the backup server, as shown in Figure 2.
![[ARP Race]](ARPrace.gif)