10.4_MAC Address Table Attack Flashcards
command used to show mac address table
show mac address-table dynamic
True or False
Traffic is flooded only within the local LAN or VLAN. The threat actor can only capture traffic within the local LAN or VLAN to which the threat actor is connected.
True
When this occurs, the switch treats the frame as an unknown unicast and begins to flood all incoming traffic out all ports on the same VLAN without referencing the MAC table. This condition now allows a threat actor to capture all of the frames sent from one host to another on the local LAN or local VLAN.
If the threat actor stops ___ from running or is discovered and stopped, the switch eventually ages out the older MAC address entries from the table and begins to act like a switch again.
macof
To mitigate MAC address table overflow attacks, network administrators must implement ___.
port security
DHCP Attacks
Two types of DHCP attacks are ____
DHCP Starvation and DHCP Spoofing
Both DHCP Starvation and DHCP Spoofing attacks are mitigated by implementing ___.
DHCP snooping
The goal of the DHCP Starvation attack is to ____.
create a DoS for connecting clients.
DHCP Starvation Attack
___ has the ability to look at the entire scope of leasable IP addresses and tries to lease them all. Specifically, it creates DHCP discovery messages with bogus MAC addresses.
Gobbler
____occurs when a rogue DHCP server is connected to the network and provides false IP configuration parameters to legitimate clients.
DHCP Spoofing Attack
DHCP Spoofing Attack
A rogue server can provide a variety of misleading information:
____: The rogue server provides an invalid gateway or the IP address of its host to create a man-in-the-middle attack. This may go entirely undetected as the intruder intercepts the data flow through the network.
Wrong default gateway
DHCP Spoofing Attack
A rogue server can provide a variety of misleading information:
____: The rogue server provides an incorrect DNS server address pointing the user to a nefarious website.
Wrong DNS server
DHCP Spoofing Attack
A rogue server can provide a variety of misleading information:
___: The rogue server provides an invalid IP address effectively creating a DoS attack on the DHCP client.
Wrong IP address
ARP ATTACKS
According to the ARP RFC, a client is allowed to send an unsolicited ARP Request called a “__.”
gratuitous ARP
When a host sends a gratuitous ARP, other hosts on the subnet store the MAC address and IPv4 address contained in the gratuitous ARP in their ARP tables
TRUE OR FALSE
The problem is that an attacker can send a gratuitous ARP message containing a spoofed MAC address to a switch, and the switch would update its MAC table accordingly.
TRUE
Therefore, any host can claim to be the owner of any IP and MAC address combination they choose. In a typical attack, a threat actor can send unsolicited ARP Replies to other hosts on the subnet with the MAC Address of the threat actor and the IPv4 address of the default gateway.
ARP spoofing and ARP poisoning are mitigated by implementing __.
DAI
____ is when a threat actor hijacks a valid IP address of another device on the subnet, or uses a random IP address
IP address spoofing
TRUE OF FALSE
IP address spoofing is not difficult to mitigate, even when it is used inside a subnet in which the IP belongs.
FALSE
IP address spoofing is difficult to mitigate, especially when it is used inside a subnet in which the IP belongs.
_____occur when the threat actors alter the MAC address of their host to match another known MAC address of a target host.
MAC address spoofing attacks
To stop the switch from returning the port assignment to its correct state, the threat actor can create a ____ that will constantly send frames to the switch so that the switch maintains the incorrect or spoofed information.
program or script
TRUE OR FALSE
There is no security mechanism at Layer 2 that allows a switch to verify the source of MAC addresses, which is what makes it so vulnerable to spoofing.
True
IP and MAC address spoofing can be mitigated by implementing ___.
IPSG
_Network attackers can manipulate the Spanning Tree Protocol (STP) to conduct an attack by spoofing the ___and changing the ___of a network
root bridge
topology
To conduct an STP manipulation attack, the attacking host broadcasts STP _____ containing configuration and topology changes that will force spanning-tree recalculations
bridge protocol data units (BPDUs)
The BPDUs sent by the attacking host announce a ____ in an attempt to be elected as the root bridge
lower bridge priority
This STP attack is mitigated by implementing ___on all access ports.
BPDU Guard
The __ is a proprietary Layer 2 link discovery protocol. It is enabled on all Cisco devices by default.
Cisco Discovery Protocol (CDP)
TRUE OR FALSE
CDP broadcasts are sent encrypted and authenticated.
FALSE
CDP broadcasts are sent unencrypted and unauthenticated. Therefore, an attacker could interfere with the network infrastructure by sending crafted CDP frames containing bogus device information to directly-connected Cisco devices.
To mitigate the exploitation of CDP,___ (limit/increase) the use of CDP on devices or ports.
limit
To disable CDP globally on a device, use the __ global configuration mode command.
no cdp run
To enable CDP globally, use the ___ global configuration command.
cdp run
To disable CDP on a port, use the___interface configuration command
no cdp enable
To enable CDP on a port, use the ____ interface configuration command.
cdp enable
___ (LLDP) is also vulnerable to reconnaissance attacks.
Link Layer Discovery Protocol
Configure ___to disable LLDP globally
no lldp run
To disable LLDP on the interface, configure ___ and no ____.
no lldp transmit
lldp receive
