A processor is configured to identify a first impersonating message, transmitted over a Controller Area Network (CAN) bus by an attacking node connected to the bus, that appears to originate from a source other than the attacking node, to transmit via a transceiver, in response to identifying the first impersonating message, a stream of messages over the bus, until a defense message belonging to the stream collides with, and trumps, a second impersonating message from the attacking node, and to drive the attacking node, subsequently, into an error-passive state in which an ability of the attacking node to communicate over the bus is limited relative to before entering the error-passive state, by repeatedly retransmitting the defense message over the bus in sync with retransmissions of the second impersonating message by the attacking node, such that the defense message collides with, and trumps, multiple subsequent instances of the second impersonating message.