The Company security administrator wants to prevent DHCP spoofing. Which statement is
true about DHCP spoofing operation?

A.
DHCP spoofing and SPAN cannot be used on the same port of a switch.

B.
To prevent a DHCP spoofing, the DHCP server must create a static ARP entry that
cannot be updated by a dynamic ARP packet.

C.
To prevent a DHCP spoofing, the switch must have DHCP server services disabled
and a static entry pointing towards the DHCP server.

D.
DHCP spoofing can be prevented by placing all unused ports in an unused VLAN.

E.
None of the other alternatives apply.

Explanation:
About DHCP Spoofing:
Suppose that an attacker could bring up a rogue DHCP server on a machine in the same
subnet as that same client PC. Now when the client broadcasts its DHCP request, the rogue
server could send a carefully crafted DHCP reply with its own IP address substituted as the
default gateway.
When the client receives the reply, it begins using the spoofed gateway address. Packets
destined for addresses outside the local subnet then go to the attacker’s machine first. The
attacker can forward the packets to the correct destination, but in the meantime, it can
examine every packet that it intercepts. In effect, this becomes a type of man-in-the-middle
attack; the attacker is wedged into the path and the client doesn’t realize it.
About ARP:
Hosts normally use the Address Resolution Protocol (ARP) to resolve an unknown MAC
address when the IP address is known. If a MAC address is needed so that a packet can be
forwarded at Layer 2, a host broadcasts an ARP request that contains the IP address of the
target in question. If any other host is using that IP address, it responds with an ARP reply
containing its MAC address.
To prevent a DHCP spoofing, the DHCP server must create a static ARP entry that cannot
be updated by a dynamic ARP packet