Defense Tools
In SimNet's Transmission Defense category, the network has already been breached by an attacker. Your job is not to "catch the bad guy" but to protect your own communications inside a hostile environment — like locking the doors, installing cameras, and encrypting your mail in a neighborhood that has thieves prowling around.
This page introduces three primary defense tools, each one mapped to a specific attack technique.
Static ARP Entry — Defending Against ARP Spoofing
What does it defend against?
ARP Spoofing is when an attacker forges ARP Reply packets so that your machine maps the attacker's MAC address to the gateway's IP. You think packets are reaching the router, but they are all being sent to the attacker instead — this is the first step of a man-in-the-middle (MITM) attack.
You can picture it as someone secretly swapping the number plate on your mailbox so the postal carrier delivers your letters next door.
How do you use it?
Use the arp -s command to manually bind the gateway's IP to its "real" MAC address:
simnet@pc1:~$ arp -s 192.168.1.1 aa:bb:cc:dd:ee:01
Static ARP entry added: 192.168.1.1 → aa:bb:cc:dd:ee:01Once configured, even if the attacker keeps sending forged ARP Reply packets, your device will not be fooled — static entries cannot be overwritten by dynamic ARP. It is as if you used a permanent marker to write the correct number on your mailbox, and nobody can change it.
Procedure
- Confirm the gateway's real MAC address — hover over the router icon in the topology view.
- Set the static ARP entry —
arp -s <gateway-ip> <real-mac>. - Verify — use
arp -ato confirm the entry is now static (the Flags column showsM).
simnet@pc1:~$ arp -a
Address HWtype HWaddress Flags Iface
192.168.1.1 ether aa:bb:cc:dd:ee:01 M eth0M stands for Manual (manually configured); this entry will not be overwritten by incoming ARP packets.
Related challenges
The template ships no built-in example challenge for ARP defense; downstream forks adopting this template can add one following the quickstart on the Challenge examples home page.
TLS / HTTPS — Defending Against MITM Eavesdropping and Tampering
What does it defend against?
Even if an attacker successfully intercepts your network traffic (via ARP Spoofing or any other means), an encrypted connection (TLS / HTTPS) reduces what they see to gibberish — they can neither read it nor tamper with it.
Think of plaintext HTTP as sending a postcard — every person who handles it can read it; HTTPS is a sealed envelope — only the recipient can open it.
How do you use it?
There are two ways to enable an encrypted connection:
Option 1: Use https:// directly in the URL
simnet@pc1:~$ curl https://192.168.1.100/flag
<html><body>FLAG{encrypted_and_safe}</body></html>Option 2: Enable globally with tls enable
simnet@pc1:~$ tls enable
TLS enabled. HTTP connections will use encryption.
simnet@pc1:~$ curl http://192.168.1.100/flag
(auto-upgraded to HTTPS)
<html><body>FLAG{encrypted_and_safe}</body></html>After tls enable, even if you write http://, the system automatically upgrades the connection to encrypted.
What happens under the hood?
Once TLS is enabled:
- Your PC and the server perform a TLS handshake (exchanging encryption keys).
- All transmitted content is encrypted.
- Any packets intercepted by a middleman are ciphertext — unreadable and untamperable.
- In the Traffic Log you will see the packet Protocol labeled
TLSinstead ofHTTP.
Related challenges
The template ships no built-in example challenge for TLS / MITM defense; downstream forks can add their own.
DNS Verification — Defending Against DNS Spoofing
What does it defend against?
DNS Spoofing is when an attacker tampers with DNS responses, so that when you query flag.simnet.local you get the attacker's IP instead of the real server's IP. You think you reached the legitimate server, but it is a fake.
You can picture it as someone tampering with the contact list on your phone — you dial "Mom" but the call actually goes to a scammer.
How do you use it?
Use the dns verify command to check whether DNS resolution has been tampered with:
simnet@pc1:~$ dns verify flag.simnet.local
⚠ DNS response mismatch detected!
Expected: 10.0.0.3
Got: 10.0.0.99 (possible DNS spoofing)A mismatch means DNS has been meddled with. At that point you can:
Option A: Connect by IP directly (skip DNS)
simnet@pc1:~$ curl https://10.0.0.3/flagLook up the server's real IP from the topology view and connect to it directly, bypassing DNS entirely.
Option B: Let the system correct itself after verification
In some challenges, dns verify not only detects the problem but also caches the correct IP, so that subsequent domain lookups point to the right server.
Procedure
- Verify DNS first —
dns verify <domain>to check whether the response is correct. - If tampering is detected — connect by real IP, or wait until verification has corrected things before using the domain.
- Confirm the fix — run
nslookup <domain>again to make sure the IP is right.
simnet@pc1:~$ dns verify flag.simnet.local
✓ DNS response verified: flag.simnet.local → 10.0.0.3
simnet@pc1:~$ nslookup flag.simnet.local
Name: flag.simnet.local
Address: 10.0.0.3Related challenges
The template ships no built-in example challenge for DNS verification; downstream forks can add their own.
Combined Defense
In integrated challenges (which downstream forks may design themselves), an attacker might use ARP, DNS, and MITM techniques all at once. In that case you need to deploy all three lines of defense simultaneously:
# 1. Set a static ARP entry — prevent the gateway from being impersonated
simnet@pc1:~$ arp -s 192.168.1.1 aa:bb:cc:dd:ee:01
# 2. Verify DNS — prevent domain hijacking
simnet@pc1:~$ dns verify flag.simnet.local
# 3. Enable TLS — prevent content from being eavesdropped or tampered with
simnet@pc1:~$ tls enable
# Once everything is in place, retrieve the flag safely
simnet@pc1:~$ curl https://flag.simnet.local/flag
<html><body>FLAG{defense_in_depth}</body></html>The order of the three lines of defense does not matter, but missing any one of them gives the attacker a way through. This is the core idea of Defense in Depth in security — no single line of defense is bulletproof; safety comes from layering.
Cheat Sheet
| Tool | Command | Defends Against | How It Works |
|---|---|---|---|
| Static ARP | arp -s <ip> <mac> | ARP Spoofing | Pins the IP-to-MAC mapping so forged packets cannot overwrite it |
| TLS / HTTPS | tls enable or curl https://... | MITM eavesdropping / tampering | Encrypts traffic so a middleman cannot read or modify it |
| DNS Verification | dns verify <domain> | DNS Spoofing | Verifies that name resolution points to the correct IP |