Locking down ARP against ARP Spoofing Attempts?

I just read an article in Linux Pro Magazine about how to prevent ARP Protocol Attacks on a Layer 2 network using /etc/ethers for static dhcp address assignment based on ip address.

The article also states that one can do this using a Linux command:

arp -s <host-ip-addr> <host-mac-addy>

Done correctly, this helps to prevent rouge hosts from showing up on the network and having them claim that they are a different host to do a main in the middle attack.

Now considering that someone on a layer 2 network that already knows the configuration of the network can plug into it and locally configure a static-ip address, is there anything else (mac address filtering for instance) that could prevent someone from obtaining an address via DHCP and communicating on the network if that mac address is not allowed?

Or do I need to make sure my subnet is exactly the right size and have all of the computers computers running on it all the time?

The article gives a Python script that appears that it would be useful in detecting a mac address that isn't supposed to be there stealing another ip by sending an arp advertising packet faster than the host that is supposed to be there; but over all they recommend turning arp advertising off.

Mac addresses can be manually set as well in Linux, so I still don't quite see how this helps.

There are certain defensive mechanisms, but require a managed switch with certain specs, e.g dhcp snooping.

A bad actor might as well replicate a pair of mac/ip from a legitimate host.

I don't see any question regarding OpenWrt, nor can anyone comment on the article without reading it.

1 Like


Yea...I was thinking the omission of the article's link was quite interesting...given it was mentioned in the OP's first sentence; and is the basis of the entire post.

I'm wanting for that too...I thought I missed it... :thinking:

They also would exist on hosts in the broadcast domain (e.g. a malicious device listening for them). Basically, without more Layer 2 security technologies, I don't see how any of it helps.

Also, some devices randomize MACs for security/privacy as well these days, so this really seems like knowing your LAN hosts...

1 Like