Which of the following best describes a MAC spoofing attack? (Select the best answer.)
A.
using GARP messages to associate an attacker’s MAC address with the IP address of a valid host on the
network
B.
sending forged frames with the intention of overwhelming a switch’s CAM table
C.
replacing the IP address of a legitimate website with the IP address of a malicious website
D.
using the MAC address of another host on the network in order to bypass port security measures
Explanation:
Of the choices available, using the Media Access Control (MAC) address of another host on the network in
order to bypass port security measures best describes a MAC spoofing attack. Normally, the MAC address
associated with a host corresponds to the unique, burnedin address (BIA) of its network interface. However, in
a MAC spoofing attack, a malicious user virtually modifies the BIA to match the MAC address of the legitimate
host on the network. Mimicking the MAC address of a known host can be used to overcome simple security
measures such as Layer 2 access control lists (ACLs).
Using gratuitous Address Resolution Protocol (GARP) messages to associate an attacker’s MAC address with
the IP address of a valid host on the network best describes an ARP poisoning attack, not a MAC spoofing
attack. In an ARP poisoning attack, the attacker sends GARP messages to a host. The GARP messages
associate the attacker’s MAC address with the IP address of a valid host on the network. Subsequently, traffic
sent to the valid host address will go through the attacker’s computer rather than directly to the intended
recipient.
Sending forged frames with the intention of overwhelming a switch’s content addressable memory (CAM) table
best describes a MAC flooding attack, not a MAC spoofing attack. In a MAC flooding attack, a malicious user
generates thousands of forged frames with the intention of overwhelming the switch’s CAM table, which stores
learned MAC addresses. Once this table is flooded, the switch can no longer make intelligent forwarding
decisions and all traffic is flooded. This allows the attacker to view all data sent through the switch because all
traffic will be sent out each port. Implementing port security can help mitigate MAC flooding attacks.
Replacing the IP address of a legitimate website with the IP address of a malicious website best describes a
Domain Name System (DNS) poisoning attack, not a MAC spoofing attack. DNS poisoning is an attack that
modifies the DNS cache by providing invalid information. In a DNS poisoning attack, a malicious user attempts
to exploit a DNS server by replacing the IP addresses of legitimate hosts with the IP address of one or more
malicious hosts. Because the DNS cache of the attacked server is poisoned, it will reply to DNS requests with
the IP address of the malicious hosts rather than the IP address of the legitimate hosts.Cisco: Layer 2 Security Features on Cisco Catalyst Layer 3 Fixed Configuration Switches Configuration
Example: Background Information