How to block MITM attack

, ,

NethServer Version: 7
Module: IPS Suricata

Hi guys,
how can I block Man in the Middle attack like arp spoofing?
I want to block also any possibility to bypass firewall and proxy and for this I’ve blocked all VPN Services and the access to proxy sites.


What are you worried about? If you want to manage clients in the network, just run them through the proxy, you could also have a public network and private. Not sure I understand what you are trying to do.

We are a school and some students try to modify arp table with arp spoofing… there is a method to block arp spoofing?

For VPN and proxy sites to bypass the fw/proxy I’ve already blocked VPN services and ports and proxy sites.


Hi @federico.ballarini,

IPS acts on a higher level so we have to go down a network layer to deal with ARP.

Haha usually I like such creative students but I found that you may block their activities with static arp or arptables/arprules:

1 Like

Thanks a lot!
It’s the firts time that I use this technical… can you explain me what they do and how I can configure it?
It’s a network of 200 computers… what I can use? Static Arp or Arptables/arprules?

Thanks again.

Static ARP will make the ARP table have fixed entries used.
Arptables/arprules act on a low level like firewall rules and only allow defined MAC addresses.

With 200 clients ARP entries may be much work… What is the goal of your students when doing their ARP spoofing? Are you sure it’s not a faulty network device?

1 Like

They are only testing the network.
In conclusion, you tell me to use a static table? But what I have to do to do this?

P.s. And what about this ?

OK so blocking arp when someone is on the network is basically impossible without advanced hardware or if you have time set up static ip addresses along with static arp. If it’s through a router set a static arp for the router and it makes it harder but it’s still possible to poison manually. Trust me as someone who’s done this it’s quite hard to block arp or a lot of things. Once you let someone on the network you just need to force ssl and monitor constantly. There are switches you can get, arp stuff would be on the switch so a good switch should have options to prevent arp, private vlans etc. I know Cisco makes them I’m sure others do as well. Expensive but you pay for security.

⁣Sent from Blue ​


I don’t use these preventing methods in my networks so I only know the theory, I just found them by doing some research.

For static ARP table you’ll need to enter all your client MAC addresses in the ARP table as described in the link I posted.

But as @Jclendineng pointed out it’s much work with static IP MAC mapping and you’re still not save. As long as the students are just playing and there are no problems it’s maybe not worth the effort

I don’t know this tool.

Arpon won’t work most likely, most people find it doesn’t do to much but it doesn’t hurt to try. Best bet is a switch, but I’ll think of some other ideas when I get home today.

⁣Sent from Blue ​


For schools, and other similiar “public” institutions vLAN can be your friend.

I’ve been entrusted with the job of “protecting” public higher level schools from “wise guy” students, also other students who think copy pasting from Google makes them a “guru”. Better (or worse) script kiddies…

But as mentionned before: You NEED good switches (pricey), but combining vLAN, restrictive Proxys and Firewalls (Even between your subnets!) can help solve the problem.

Basic concept for vLANs:

10 public (students) network
11 printing (public)
12 teachers / faculity members
13 printing (teachers / faculity members)

20 servers
21 DMZ

and so on.

The BIG difference in a “public” instition like a school / university is you can’t just fire / reprimand someone who’s misusing the infrastructure, you have to make it break-proof and basically bullet-proof and tamper-proof everything. This also means basic access: Locked IT rooms!
I’ve had such institutions dish out thousands for security, only to leave doors and server racks open. Not really practical…

A “wise guy” even stole the schools WLan AP in the cafeteria - ending the free WLan for all for quite some time (Till the new budget almost a year later). The AP was actually hidden in the cealing, not that easily acciessible…

My 2 cents

1 Like

I can attest to this being a student at one point :smiley: I try to always think how I would break something if I were wanting to…and protect against that. Its hard though, without a good bit of money, best bet is monitor the heck out of the network and feel free to kick (think of it as a temp-ban) but monitoring takes time, not a lot of options. When giant corporations cant keep secure, with all that money there’s always a way through. Always a good principal to remember.