The Company security administrator is concerned with layer 2 network attacks. Which two
statements about these attacks are true? (Select two)
A.
ARP spoofing attacks are attempts to redirect traffic to an attacking host by
encapsulating a false 802.1Q header on a frame and causing traffic to be delivered to the
wrong VLAN.
B.
ARP spoofing attacks are attempts to redirect traffic to an attacking host by sending
an ARP message with a forged identity to a transmitting host.
C.
MAC address flooding is an attempt to force a switch to send all information out
every port by overloading the MAC address table.
D.
ARP spoofing attacks are attempts to redirect traffic to an attacking host by sending
an ARP packet that contains the forged address of the next hop router.
E.
MAC address flooding is an attempt to redirect traffic to a single port by associating
that port with all MAC addresses in the VLAN.
Explanation:
Content Addressable Memory (CAM) Table Overflow (MAC address Flooding)
Content Addressable Memory (CAM) tables are limited in size. If enough entries are entered
into the CAM table before other entries are expired, the CAM table fills up to the point that no
new entries can be accepted. Typically, a network intruder floods the switch with a large
number of invalid source Media Access Control (MAC) addresses until the CAM table fills
up. When that occurs, the switch floods all ports with incoming traffic because it cannot find
the port number for a particular MAC address in the CAM table. The switch, in essence, acts
like a hub. If the intruder does not maintain the flood of invalid-source MAC addresses, the
switch eventually times out older MAC address entries from the CAM table and begins to act
like a switch again. CAM table overflow only floods traffic within the local VLAN so the
intruder only sees traffic within the local VLAN to which he or she is connected.
The CAM table overflow attack can be mitigated by configuring port security on the switch.
This option provides for either the specification of the MAC addresses on a particular switch
port or the specification of the number of MAC addresses that can be learned by a switch
port. When an invalid MAC address is detected on the port, the switch can either block the
offending MAC address or shut down the port. The specification of MAC addresses on
switch ports is far too unmanageable a solution for a production environment. A limit of the
number of MAC addresses on a switch port is manageable. A more administratively scalable
solution is the implementation of dynamic port security at the switch. In order to implement
dynamic port security, specify a maximum number of MAC addresses that will be learned.
Address Resolution Protocol (ARP) Spoofing
ARP is used to map IP addressing to MAC addresses in a local area network segment
where hosts of the same subnet reside. Normally, a host sends out a broadcast ARP request
to find the MAC address of another host with a particular IP address, and an ARP response
comes from the host whose address matches the request. The requesting host then caches
this ARP response. Within the ARP protocol, another provision is made for hosts to perform
unsolicited ARP replies. The unsolicited ARP replies are called Gratuitous ARP (GARP).
GARP can be exploited maliciously by an attacker to spoof the identity of an IP address on a
LAN segment. This is typically used to spoof the identity between two hosts or all traffic to
and from a default gateway in a “man-in-the-middle” attack.
When an ARP reply is crafted, a network attacker can make his or her system appear to be
the destination host sought by the sender. The ARP reply causes the sender to store the
MAC address of the network attacker’s system in the ARP cache. This MAC address is also
stored by the switch in its CAM table. In this way, the network attacker has inserted the MAC
address of his or her system into both the switch CAM table and the ARP cache of the
sender. This allows the network attacker to intercept frames destined for the host that he or
she is spoofing.
Reference:
http://www.cisco.com/en/US/products/hw/switches/ps5023/products_configuration_example09186a00807c4101.shtml