CompTIA Security Plus Mock Test Q711

A security administrator is notified that users attached to a particular switch are having intermittent connectivity issues. Upon further research, the administrator finds evidence of an ARP spoofing attack. Which of the following could be utilized to provide protection from this type of attack?

A. Configure MAC filtering on the switch.
B. Configure loop protection on the switch.
C. Configure flood guards on the switch.
D. Configure 802.1x authentication on the switch.


Correct Answer: C
Section: Threats and Vulnerabilities

Explanation:
ARP spoofing is a type of attack in which a malicious actor sends falsified ARP (Address Resolution Protocol) messages over a local area network. This results in the linking of an
attacker’s MAC address with the IP address of a legitimate computer or server on the network. Once the attacker’s MAC address is connected to an authentic IP address, the attacker
will begin receiving any data that is intended for that IP address. ARP spoofing can enable malicious parties to intercept, modify or even stop data in-transit. ARP spoofing attacks can
only occur on local area networks that utilize the Address Resolution Protocol.
To perform ARP spoofing the attacker floods the network with spoofed ARP packets. As other hosts on the LAN cache the spoofed ARP packets, data that those hosts send to the
victim will go to the attacker instead. From here, the attacker can steal data or launch a more sophisticated follow-up attack.
A flood guard configured on the network switch will block the flood of spoofed ARP packets.

Incorrect Answers:
A: MAC filtering will restrict which computers can connect to the switch ports by specifying which MAC address is allowed to connect to each port. However, it will not prevent any of
those computers from initiating an ARP spoofing attack.
B: Loop protection is used to prevent broadcast storms when there are multiple links between network switches. Spanning Tree Protocol is one type of loop protection. Loop protection
does not prevent ARP spoofing attacks.
D: With 802.1X port-based authentication, the supplicant (client device) provides credentials, such as user name/password or digital certificate, to the authenticator, and the
authenticator forwards the credentials to the authentication server for verification. If the authentication server determines the credentials are valid, the supplicant (client device) is
allowed to access resources located on the protected side of the network. However, once the authenticated device is connected to the switch, 802.1x cannot prevent the device from
initiating an ARP spoofing attack.

References:
http://www.veracode.co.uk/security/arp-spoofing