MITM 8: Countermeasures

Posted on March 4, 2012


There are two main kinds of countermeasures  for the ARP poisoning and the man-in-the-middle attack in general. The first is the prevention and the second is detection. Prevention try to avoid an attacker while detection trigger an alarm when it notices that looks like an attack or the result of an attack. To ensure a good security, both has to be implemented. The main issue is that in order to prevent and detect an attack, the administrator has to know and understand the different possible attacks. Since this might be complicated for a security admin to cover all the attacks, most of the time, they use third-party measures (e.g. Intrusion Detection System and secure protocols). However those measures cover only what developers were up to. The goal of every attacker is to be smarter than the security admin by thinking further about security issues the admin hasn’t expected.


There are many prevention systems with different efficiency and time to implement that can be used regarding the LAN configuration:

Static ARP table

The easiest and quite very efficient solution: Each host on the LAN, or at least the most sensitive ones (e.g. default gateway, DHCP server, DNS, web server, etc), have them MAC address set manually in the ARP table and can’t be modify with ARP reply. Even though this measure is easy to implement, in large LAN, this might be quite long and exhaustive.

Here is the syntax to add a static entry in your ARP table:


ARP filtering

Another measure, much less efficient than static ARP table is ARP filtering. A first countermeasure would be to drop each ARP reply that hasn’t been requested. It is also possible to filter ARP packet based on different parameters (e.g. source and destination) thanks to the command arptables (which is like iptable but for arp packet).

Using encrypted and authenticated channel

This is not a measure against ARP poisoning but against MITM attack in general. Using encrypted channel makes the data captured by an attacker is irrelevant without the proper key. With ARP spoofing the MITM attack is established on a low-level on the OSI model (between data-link and network), therefore, an attacker could first establish a secure connection with the victim, then with the destination and forward the information decrypted from the host to an encrypted communication with the destination. This way, even if the victim uses a encrypted channel, the attacker can read the communication anyway. In order to avoid this security issue, secure hosts (like web server) use an authentication system to ensure that the communication is established with the proper host.


Sometimes the prevention systems may be too restrictive, too complicated for the implementation or not efficient enough. An Intrusion Detection System (IDS) might be the solution. It analyzes the hosts’ behaviours  and trigger an alarm when something is suspicious. IDS analyzes behaviours regarding some rules. Here a few examples:

  • Check if the sender MAC address of an ARP reply coming from a sensitive host (e.g. default gateway) match the proper MAC address (wrote previously by the security admin).
  • Check if a host send unsolicited ARP reply.
  • Check if each IP address has a unique MAC address in the LAN.

Many other rules can be set against ARP poisoning and MITM but these were some example of how to implement a first protection. I advice you as a quick solution to either check the MAC address of your default gateway with arp -a and see if it match the one of your router (most of the time, the MAC is printed on the router), either by setting a static MAC address. On desktop, this is the best solution, but this might be complicated for mobile device such as laptop because anytime you connect to a new LAN, you will need to set a new static MAC address for the default gateway.

Posted in: Tutorials