diff --git a/README.md b/README.md
index c23d261..3404414 100644
--- a/README.md
+++ b/README.md
@@ -121,6 +121,9 @@ Networking:
 
 - Optional - Enable IPv6 Privacy Extensions.
 
+- Optional - Drop gratuitous ARP packets to prevent ARP cache poisoning
+  via man-in-the-middle and denial-of-service attacks.
+
 ### Boot parameters
 
 Mitigations for known CPU vulnerabilities are enabled in their strictest form
diff --git a/usr/lib/sysctl.d/990-security-misc.conf b/usr/lib/sysctl.d/990-security-misc.conf
index 6009fc4..2bec703 100644
--- a/usr/lib/sysctl.d/990-security-misc.conf
+++ b/usr/lib/sysctl.d/990-security-misc.conf
@@ -526,3 +526,14 @@ net.ipv4.tcp_timestamps=0
 ## The use of IPv6 Privacy Extensions is currently disabled due to these breakages.
 ##
 #net.ipv6.conf.*.use_tempaddr=2
+
+## Drop gratuitous ARP (Address Resolution Protocol) packets.
+## Stops ARP responses sent by a device without being explicitly requested.
+## Prevents ARP cache poisoning by rejecting fake ARP entries into a network.
+## Prevents man-in-the-middle and denial-of-service attacks.
+## May cause breakages when ARP proxies are used in the network.
+##
+## https://patchwork.ozlabs.org/project/netdev/patch/1428652454-1224-3-git-send-email-johannes@sipsolutions.net/
+## https://www.practicalnetworking.net/series/arp/gratuitous-arp/
+##
+#net.ipv4.conf.*.drop_gratuitous_arp=1