Which of the following can you mitigate by implementing DAI? (Select the best answer.)
- ARP poisoning attacks
- MAC spoofing attacks
- MAC flooding attacks
- VLAN hopping attacks
Implementing Dynamic ARP Inspection (DAI) can help mitigate Address Resolution Protocol (ARP) poisoning attacks. In an ARP poisoning attack, which is also known as an ARP spoofing attack, the attacker sends a gratuitous ARP (GARP) message to a host. The GARP message associates the attacker’s Media Access Control (MAC) address with the IP address of a valid host on the network. Subsequently, traffic sent to the valid host address will go through the attacker’s computer rather than directly to the intended recipient.
You should change the native virtual LAN (VLAN) on trunk ports to an unused VLAN to mitigate VLAN hopping attacks. In a VLAN hopping attack, attacker sends doubletagged 802.1Q frames over a trunk link. A doubletagged frame is an Ethernet frame containing two distinct 802.1Q headers. Although doubletagging can be used as a legitimate way to tunnel traffic through a network and is commonly used by service providers, it can also be used by an attacker to circumvent security controls on an access switch. In a VLAN hopping attack, the attacker attempts to inject packets into other VLANs by accessing the native VLAN on a trunk and sending doubletagged 802.1Q frames to the switch. The switch strips the outer 802.1Q header from the received frame and then forwards the frame, which still includes an 802.1Q header, across a trunk port to the VLAN of the target host. A successful VLAN hopping attack enables an attacker to send unidirectional traffic to other VLANs without the use of a router.
Implementing sticky secure MAC addresses can help mitigate MAC spoofing attacks. In a MAC spoofing attack, an attacker uses the MAC address of another known host on the network in order to bypass port security measures. MAC spoofing can also be used to impersonate another host on the network.
Limiting the number of MAC addresses permitted on a port can help mitigate MAC flooding attacks. In a MAC flooding attack, an attacker generates thousands of forged frames every minute with the intention of overwhelming the switch’s MAC address table. Once this table is flooded, the switch can no longer make intelligent forwarding decisions and all traffic is flooded. This allows the attacker to view all data sent through the switch because all traffic will be sent out each port. A MAC flooding attack is also known as a content addressable memory (CAM) table overflow attack.