Module 14 Flashcards
is considered to be the weakest link in the network system.
Layer 2
Includes MAC table overflow (also called MAC Address Flooding) Attacks.
MAC Table Attacks
Includes VLAN hopping and VLAN double‐tagging attacks. It also includes attacks between devices on a common VLAN.
VLAN Attacks
Includes DHCP starvation and DHCP spoofing attacks.
DHCP Attacks
Includes ARP spoofing and ARP poisoning attacks.
ARP Attacks
Includes MAC Address and IP address spoofing attacks.
Address Spoofing Attacks
Includes Spanning Tree Protocol manipulation attacks.
STP Attacks
The following strategies are recommended:
*Always use secure variants of these protocols such as SSH, SCP, and SSL.
*Consider using out-of-band (OOB) management.
*Use a dedicated management VLAN where nothing but management traffic
resides.
*Use ACLs to filter unwanted access.
pyramid
port security
dhcp snooping
dai
ipsg
prevents many types of attacks including MAC table overflow attacks and DHCP
starvation attacks.
Port Security
prevents DHCP starvation and DHCP spoofing attacks by rogue DHCP servers.
DHCP spoofing
prevents ARP spoofing and ARP poisoning attacks.
Dynamic ARP Inspection (DAI)
prevents MAC and IP address spoofing attacks
IP Source Guard (IPSG)
If Layer 2 is disrupted by a cyber attack, all layers above it will be affected.
True
It is important to protect Layer 2 by always using secure variants of protocols such as
In addition, ___ should be used to filter unwanted access.
SSH, SCP, and SSL.
ACLs
are available on Cisco switches to directly mitigate Layer 2 attacks.
Port security, DHCP Snooping, DAI, and IP Source Guard
One type of Layer 2 attack floods the switch with frames with __
random MAC source addresses.
___ can quickly overwhelm the MAC table of a switch causing a MAC table overflow exploit.
Threat actor tools such as macof
A simple but effective way to prevent Layer 2 attacks is to
shutdown all unused ports.
is a simple way to directly address MAC address overflow attacks.
Port security
attacks enable threat actors to access VLANs that they are not authorized to access.
VLAN hopping and VLAN double-tagging
In ____, a threat actor connects a host computer to a switch and then attempts to negotiate the switchport to become trunk using DTP.
VLAN hopping attacks
In _____, a threat actor adds a false VLAN tag to malicious traffic in addition to the legitimate tag.
VLAN double-tagging attacks
can be vulnerable to PVLAN proxy attacks.
Private VLAN promiscuous ports
PVLAN proxy attacks can be mitigated through the use of
access control lists.
Two types of DHCP attacks are
DHCP starvation and DHCP spoofing.
The goal of the DHCP starvation attack is
DoS for connecting clients.
A___ occurs when a rogue DHCP server is connected to the network and
provides false IP configuration parameters to legitimate clients.
DHCP spoofing attack
Both DHCP attacks are mitigated by implementing
DHCP snooping.
Any host can claim to be the owner of any IP and MAC address.
True
occur when threat actors alter the MAC address of their host to match another known MAC address of a target host.
MAC address spoofing attacks
__, which requires DHCP snooping to be enabled, can mitigate ARP spoofing by ensuring that
only valid ARP Requests and Replies are sent into the network.
DAI
is when a rogue PC hijacks a valid IP address of a neighbor, or a uses a random IP address.
IP address spoofing
To protect against MAC and IP address spoofing, configure ___ operates like DAI, but it
looks at every packet, not just the ARP packets.
IPSG
is a loop-prevention network protocol that allows for redundancy while creating a loop-free
Layer 2 topology.
STP
Threat actors can manipulate the STP to conduct an attack by
spoofing the root bridge and
changing the topology of a network.
Cisco switches have a number of STP stability mechanisms such as
PortFast, BPDU Guard, Root Guard, and Loop Guard.
What type of attack occurs when a threat actor sends packets with false MAC or IP addresses?
Address spoofing occurs when a threat actor sends packets that have false MAC or IP addresses.
What type of attack sends false address requests to a server until all addresses are used and none are available for legitimate users?
DHCP attacks include DHCP starvation which is an attack in which false requests are made to a DHCP server until all available addresses are exhausted.
What prevents many types of attacks including MAC table overflow attacks and DHCP starvation attacks?
Port Security prevents many types of attack including CAM table overflow attacks and DHCP starvation attacks.
What prevents DHCP starvation and spoofing attacks?
DHCP Snooping prevents DHCP starvation and DHCP spoofing attacks.
What prevents MAC and IP address spoofing attacks?
IP Source Guard helps prevent MAC and IP address spoofing attacks.
Which statement describes STP?
STP is used to prevent Layer 2 loops on Ethernet LANs.
Without STP on the Ethernet LAN, which three types of frames could cause a catastrophic loop in the network? (Choose three.)
Without STP enabled, unknown unicast, multicast, and broadcast frames could loop endlessly on the network, causing catastrophic network failure.
What device is elected by the Spanning Tree Algorithm? All other switches determine a single least-cost path to this device.
The STP algorithm elects a root bridge on the LAN. All other switches calculate the lowest cost path to the root bridge.
What is the only type of traffic that is forwarded by a PVLAN protected port to other protected ports?
control
PVLAN protected ports do not exchange any data traffic with other protected ports. The only traffic that is exchanged between protected ports is control traffic generated by network devices.
A network administrator is configuring DAI on a switch with the command ip arp inspection validate src-mac. What is the purpose of this configuration command?
it checks the source MAC address in the Ethernet header against the sender MAC address in the ARP body
DAI can be configured to check for both destination or source MAC and IP addresses:
Destination MAC - Checks the destination MAC address in the Ethernet header against the target MAC address in the ARP body.
Source MAC - Checks the source MAC address in the Ethernet header against the sender MAC address in the ARP body.
IP address - Checks the ARP body for invalid and unexpected IP addresses including addresses 0.0.0.0, 255.255.255.255, and all IP multicast addresses.
What mitigation plan is best for thwarting a DoS attack that is creating a MAC address table overflow?
enable port security
A MAC address (CAM) table overflow attack, buffer overflow, and MAC address spoofing can all be mitigated by configuring port security. A network administrator would typically not want to disable STP because it prevents Layer 2 loops. DTP is disabled to prevent VLAN hopping. Placing unused ports in an unused VLAN prevents unauthorized wired connectivity.
What network attack seeks to create a DoS for clients by preventing them from being able to obtain a DHCP lease?
dhcp starvation
DCHP starvation attacks are launched by an attacker with the intent to create a DoS for DHCP clients. To accomplish this goal, the attacker uses a tool that sends many DHCPDISCOVER messages in order to lease the entire pool of available IP addresses, thus denying them to legitimate hosts.
When security is a concern, which OSI Layer is considered to be the weakest link in a network system?
layer 2
Security is only as strong as the weakest link in the system, and Layer 2 is considered to be that weakest link. In addition to protecting Layer 3 to Layer 7, network security professionals must also mitigate attacks to the Layer 2 LAN infrastructure.
If two switches are configured with the same priority and the same extended system ID, what determines which switch becomes the root bridge?
the layer 2 address with the lowest hexadecimal value
When other factors are equal, the switch with the lowest MAC address will have the lowest BID, and will become the root bridge. STP functions on Layer 2 and does not use IP addressing as a factor.
Which statement describes the behavior of a switch when the MAC address table is full?
it treats frames as unknown unicast and floods all incoming frames to all ports within the local VLAN
When the MAC address table is full, the switch treats the frame as an unknown unicast and begins to flood all incoming traffic to all ports only within the local VLAN.
A cybersecurity analyst is using the macof tool to evaluate configurations of switches deployed in the backbone network of an organization. Which type of LAN attack is the analyst targeting during this evaluation?
MAC address table overflow
Macof is a network attack tool and is mainly used to flood LAN switches with MAC addresses.
What determines which switch becomes the STP root bridge for a given VLAN?
the lowest bridge ID
STP uses a root bridge as a central point for all spanning tree calculations. To select a root bridge, STP conducts an election process. All switches in the broadcast domain participate in the election process. The switch with the lowest bridge ID, or BID, is elected as the root bridge. The BID is made up of a priority value, an extended system ID, and the MAC address of the switch.
What action can a network administrator take to help mitigate the threat of VLAN hopping attacks?
disable automatic trunking negotiation
There are two methods for mitigating VLAN hopping attacks:
disabling automatic trunking negotiation on switchports
turning trunking off on all unused nontrunk switchport
Which two Cisco solutions help prevent DHCP starvation attacks? (Choose two.)
port security
dhcp snooping
Cisco provides solutions to help mitigate Layer 2 attacks including these:
IP Source Guard (IPSG) - prevents MAC and IP address spoofing attacks
Dynamic ARP Inspection (DAI) - prevents ARP spoofing and ARP poisoning attacks
DHCP Snooping - prevents DHCP starvation and SHCP spoofing attacks
Port Security - prevents many types of attacks including MAC table overflow attacks and DHCP starvation attacks
Web Security Appliance (WSA) is a mitigation technology for web-based threats.
What is the only type of port that an isolated port can forward traffic to on a private VLAN?
a promiscuous port
PVLANs are used to provide Layer 2 isolation between ports within the same broadcast domain. The level of isolation can be specified
with three types of PVLAN ports:
Promiscuous ports that can forward traffic to all other ports
Isolated ports that can only forward traffic to promiscuous ports
Community ports that can forward traffic to other community ports and promiscuous ports
What additional security measure must be enabled along with IP Source Guard to protect against address spoofing?
dhcp snooping
Like Dynamic ARP Inspection (DAI), IP Source Guard (IPSG) needs to determine the validity of MAC-address-to-IP-address bindings. To do this IPSG uses the bindings database built by DHCP snooping.