312-50V13 · Question #523
In a large organization, a network security analyst discovered a series of packet captures that seem unusual. The network operates on a switched Ethernet environment. The security team suspects that a
The correct answer is B. The attacker might be implementing MAC flooding to overwhelm the switch's memory. Explanation MAC flooding is the most viable technique for sniffing traffic on a switched network, because switches normally forward traffic only to the intended port based on their MAC address table (CAM table). By flooding the switch with thousands of fake MAC addresses, the att
Question
Options
- AThe attacker might be compromising physical security to plug into the network directly
- BThe attacker might be implementing MAC flooding to overwhelm the switch's memory
- CThe attacker is probably using a Trojan horse with in-built sniffing capability
- DThe attacker might be using passive sniffing, as it provides significant stealth advantages
How the community answered
(39 responses)- A5% (2)
- B79% (31)
- C3% (1)
- D13% (5)
Explanation
Explanation
MAC flooding is the most viable technique for sniffing traffic on a switched network, because switches normally forward traffic only to the intended port based on their MAC address table (CAM table). By flooding the switch with thousands of fake MAC addresses, the attacker can exhaust the CAM table's memory, causing the switch to fail open and broadcast all traffic to every port - effectively turning it into a hub, which the attacker's sniffer can then capture.
Option A (physical compromise) is plausible in general but describes a physical access attack, not a sniffing technique specific to switched environments - the question asks about the method used within the switched network context. Option C (Trojan horse) is a malware delivery method, not a network-level sniffing technique relevant to the switched topology. Option D is incorrect because passive sniffing only works on hub-based networks where traffic is broadcast naturally; on a switched network, passive sniffing alone would only capture traffic destined for the attacker's port.
Memory Tip: Think of MAC flooding as "confusing the switch into acting like a hub" - remember "Flood the table, sniff the cable." Whenever you see switched network + sniffing, think CAM table overflow = MAC flooding.
Topics
Community Discussion
No community discussion yet for this question.