Which of the following can you mitigate by implementing DAI? (Select the best answer.)
A.
ARP poisoning attacks
B.
MAC spoofing attacks
C.
MAC flooding attacks
D.
VLAN hopping attacks
Explanation:
Implementing Dynamic ARP Inspection (DAI) can help mitigate Address Resolution Protocol (ARP) poisoning
attacks. In an ARP poisoning attack, which is also known as an ARP spoofing attack, the attacker sends a
gratuitous ARP (GARP) message to a host. The GARP message associates the attacker’s Media Access
Control (MAC) address with the IP address of a valid host on the network. Subsequently, traffic sent to the valid
host address will go through the attacker’s computer rather than directly to the intended recipient.
You should change the native virtual LAN (VLAN) on trunk ports to an unused VLAN to mitigate VLAN hopping
attacks. In a VLAN hopping attack, attacker sends doubletagged 802.1Q frames over a trunk link. A
doubletagged frame is an Ethernet frame containing two distinct 802.1Q headers. Although doubletagging can
be used as a legitimate way to tunnel traffic through a network and is commonly used by service providers, it
can also be used by an attacker to circumvent security controls on an access switch. In a VLAN hopping attack,
the attacker attempts to inject packets into other VLANs by accessing the native VLAN on a trunk and sending
doubletagged 802.1Q frames to the switch. The switch strips the outer 802.1Q header from the received frame
and then forwards the frame, which still includes an 802.1Q header, across a trunk port to the VLAN of the
target host. A successful VLAN hopping attack enables an attacker to send unidirectional traffic to other VLANs
without the use of a router.
Implementing sticky secure MAC addresses can help mitigate MAC spoofing attacks. In a MAC spoofing
attack, an attacker uses the MAC address of another known host on the network in order to bypass port
security measures. MAC spoofing can also be used to impersonate another host on the network.
Limiting the number of MAC addresses permitted on a port can help mitigate MAC flooding attacks. In a MAC
flooding attack, an attacker generates thousands of forged frames every minute with the intention of
overwhelming the switch’s MAC address table. Once this table is flooded, the switch can no longer make
intelligent forwarding decisions and all traffic is flooded. This allows the attacker to view all data sent through
the switch because all traffic will be sent out each port. A MAC flooding attack is also known as a content
addressable memory (CAM) table overflow attack.Cisco: Implementation of Security: ARP Spoofing Attack