Hi,
Is there any way to configure RouterOS to discard gratuitous ARP replies it receives? It accepts gratuitous ARP reply packets by default.
I only found a way to match these packets on bridge interfaces, but in my case RB1100AHx2 act as routers on physical Ethernet ports (without bridge) and I want to protect them against man-in-the-middle ARP poisoning attacks.
JunOS has “gratuitous-arp-reply” command for this purpose.
Bumping up.
Ability to filter/ignore gratuitous ARP would significantly increase protection against man-in-the-middle attacks on Mikrotik routers.
If I got you correctly, you can either set ARP to respond only on an interface, create appropriate static ARP entries or create a bridge with only one interface to prevent ARP redirection on router side and set IP firewall rules to prevent traffic from wrong IP/MAC address combinations from being received.
Please note that ARP spoofing attacks can use various formats of ARP messages!
Best way to prevent ARP spoofing is to use switches supporting DHCP snooping (and/or other features ensuring that hosts can send/receive only packets from IP addresses assigned to them).
Alternative is to use ArpON or similar software, BUT there may be cases when they won’t detect ARP poisoning attacks (+ there may be other traffic redirection attacks as well).