Which of the following attacks involves overwhelming a switch’s CAM table? (Select the best answer.)
A.
ARP poisoning
B.
ARP spoofing
C.
MAC flooding
D.
MAC spoofing
Explanation:
A Media Access Control (MAC) flooding attack involves overwhelming a switch’s content addressable memory
(CAM) table. Switches and bridges store learned MAC addresses in the CAM table, which is also known as the
MAC address table. When the CAM table becomes full, no more MAC addresses can be learned. If a switch
receives traffic destined for a MAC address that is not in its MAC address table, the switch floods the traffic out
every port except the port that originated the traffic. Consequently, in a MAC flooding attack, an attacker
attempts to fill the CAM table so that any further traffic will be sent to all ports. Then, because traffic is flooded
out every interface, the attacker can view any traffic that is sent to the switch.
A MAC spoofing attack involves using the MAC address of a legitimate host on the network in order to bypass
port security measures, not overwhelming a switch’s CAM table. Normally, the MAC address associated with a
host corresponds to the unique, burnedin address (BIA) of its network interface. However, in a MAC spoofing
attack, a malicious user virtually modifies the BIA to match the MAC address of the legitimate host on the
network. Mimicking the MAC address of a known host can be used to overcome simple security measures such
as Layer 2 access control lists (ACLs).
An Address Resolution Protocol (ARP) poisoning attack, which is also known as an ARP spoofing attack,involves sending gratuitous ARP (GARP) messages to a target host. The GARP messages associate the
attacker’s MAC address with the IP address of a valid host on the network. Subsequently, traffic sent to the
valid host address will go to the attacker’s computer rather than to the intended recipient.Cisco: Layer 2 Security Features on Cisco Catalyst Layer 3 Fixed Configuration Switches Configuration
Example: Background Information