Mitigating an ARP-Spoofing Attack

A high number of ARP spoofing attacks would be mitigated by:
A) ACLs

Subnetting
C) Flood guards
D) VLANS

The answer is 'C', but I'm wondering if this is an error - shouldn't the answer be 'D'?

For example:
"A typical application for a private VLAN is a hotel or Ethernet to the home network where each room or apartment has a port for Internet access. Similar port isolation is used in Ethernet-based ADSL DSLAMs. Allowing direct data link layer communication between customer nodes would expose the local network to various security attacks, such as ARP spoofing, as well as increasing the potential for damage due to misconfiguration."
Source: Private VLAN - Wikipedia, the free encyclopedia

Here's a similar question that also indicates the answer is Flood guards: http://class10e.com/CompTIA/which-of-the-following-design-elements-would-mitigate-arp-spoofing-attacks/

Find more posts tagged with

Comments

ptilsen

Both C and D are incorrect, or are not the best answer.

C is to mitigate against MAC flooding attacks. ARP spoofing need not be done with MAC flooding, and flood guards are not an effective mitigation for all ARP spoofing attacks.

D is never a mitigation technique. VLANs allow segmented broadcast domains within physical switches. This can provide a number of great advantages, but not security specifically. The thing to remember is that VLANs in and of themselves are not subnetting. Private VLANs, however, are unique in that they provide per-host subnetting, which is absolutely a security feature and mitigates ARP spoofing, specifically. Private VLANs is a valid answer, but VLANs is not.

In my opinion B is far and away the best answer. Subnetting limits ARP spoofing to only the nodes on a given subnet. The threat is not eliminated since ARP spoofing can still be carried out against each subnet, but because subnetting limits its impact it is an effective mitigation technique. Private VLANs are an extremely effective mitigation technique because they make ARP spoofing no more effective than a simple wire tap, and when implemented on all ports it could be argued that Private VLANs eliminate the threat. However, Private VLANs is not an answer and "plain" VLANs are not of themselves a mitigation technique, so subnetting would still be the best answer.

For the question in the link you posted, flood guards is the best answer because they prevent MAC flooding which can be used for spoofing.

SecurityThroughObscurity

C is correct, partially.
To perform ARP spoofing you need to flood a target with fake arp-responses.
Subnetting won't help, you can still spoof a victim inside this subnet.

teancum144

SecurityThroughObscurity wrote: »

C is correct, partially.
To perform ARP spoofing you need to flood a target with fake arp-responses.
Subnetting won't help, you can still spoof a victim inside this subnet.

Interesting, thank you. After reading your reply, I found this short (2 minute) YouTube video:
3hacks : ARP Flood (zombie host) - YouTube
Is this an example of what you are talking about? This attack appears to be using ARP spoofing to flood the victim with ARP replies.

ptilsen, I found your reply very informative. Do you believe this scenario could be what the question is inferring? The question does say a "high number of ARP spoofing attacks". I realize this is a very specific type of ARP spoofing attack, but I found two different sources with a similarly worded question and both had "Flood Guards" as the answer.

ptilsen

Flooding is one way to implement an ARP spoofing attack, and as such flood guards eliminate some forms of ARP spoofing threats. Subnetting mitigates against all forms of ARP spoofing by limited their impact. Flood guards is not an incorrect answer, in my opinion, just not the best one.