A security administrator receives an IDS alert that a single internal IP address is connecting to several known malicious command and control domains. The
administrator connects to the switch and adds a MAC filter to Port 18 to block the system from the network.
BEFORE AFTER
MAC Address VLAN Port MAC Address VLAN Port
67A7.353B.5064 101 4 67A7.353B.5064 101 4
7055.4961.1F33 100 9 7055.4961.1F33 100 9
0046.6416.5809 101 21 0046.6416.5809 101 21
7027.0108.31B5 100 16 7027.0108.31B5 100 16
5243.6353.7720 101 6 5243.6353.7720 101 6
1484.A471.6542 100 2 1484.A471.6542 100 2
80C7.8669.5845 101 7 80C7.8669.5845 101 7
7513.77B9.4130 101 18 0046.6419.5809 101 18
5A77.1816.3859 101 19 5A77.1816.3859 101 19
8294.7E31.3270 100 8 8294.7E31.3270 100 8
A few minutes later, the same malicious traffic starts again from a different IP. Which of the following is the MOST likely reason that the system was able to bypass
the administrator’s MAC filter?
A.
The system is now ARP spoofing a device on the switch.
B.
The system is now VLAN hopping to bypass the switch port MAC filter.
C.
The system is now spoofing a MAC address.
D.
The system is now connecting to the switch.
…. an ARP spoof does intercept current session on target by injecting fake packets. this is desired for e.g. mitm attacks, while a MAC spoof is nothing else than cloning certain Hardware (MAC)
0
0
Skip down to this line:
7513.77B9.4130 101 18 0046.6419.5809 101 18
Before and after, different macs both going through port 18
mac has been spoofed
1
0