CompTIA Network+ Domain 4: Network Security

Forged ARP replies poison hosts' ARP caches so traffic flows through the attacker — a classic on-path setup.

• ADNS poisoning corrupts name-to-IP resolution. This attack manipulates IP-to-MAC mappings instead.
• CVLAN hopping uses tagging/double-tagging to reach another VLAN — it doesn't forge ARP gateway mappings.
• DMAC flooding overflows the switch CAM table to force flooding. Related to switching, but not ARP forgery.

IEEE 802.1X authenticates a device/user at the port (via a RADIUS server) before granting network access.

• B802.11ac is a Wi-Fi throughput standard, not an authentication framework.
• C802.3 is the Ethernet standard family; it doesn't define port authentication.
• D802.1Q is VLAN tagging, unrelated to authenticating devices at the port.

Anything not explicitly allowed is denied by default — the implicit deny that closes an ACL.

• BThat's the opposite — explicitly permitting traffic. The question asks about the default for everything else.
• CStateful inspection tracks connection state; it isn't the catch-all deny rule.
• DPort forwarding redirects inbound traffic to an internal host — unrelated to default deny.

A deceptive message impersonating a trusted source to harvest credentials is textbook phishing.

• BSQL injection targets a database through application input, not a user's inbox.
• CDoS overwhelms a service to make it unavailable; it doesn't trick a user into giving up a password.
• DARP spoofing manipulates Layer 2 address mappings — a technical on-path attack, not an email lure.

Forged gratuitous ARP replies bind the attacker's MAC to the gateway IP in victim tables, placing the attacker on-path to intercept and relay traffic exactly as captured.

• AMAC flooding forces a switch to fail open and broadcast frames out all ports, but it does not rewrite host gateway-to-MAC mappings the way this capture shows.
• BDNS poisoning corrupts name-to-IP records inside a resolver's cache; the symptom here is a falsified IP-to-MAC binding for the gateway, which is an ARP-layer problem.
• DA rogue DHCP server changes the gateway address clients are leased, but here the legitimate gateway IP is intact and only its MAC mapping was forged, indicating ARP abuse.

DHCP snooping classifies ports as trusted or untrusted and drops server-sourced DHCP messages from untrusted ports, blocking the rogue router while permitting the legitimate uplink server replies.

• BDynamic ARP inspection validates ARP packets against the snooping binding table to stop ARP spoofing, but it does not by itself filter unauthorized DHCP server offers.
• CPort security caps how many MAC addresses a port may learn to stop MAC flooding, yet it cannot distinguish a rogue DHCP server's offers from normal client traffic.
• D802.1X authenticates a device before granting network access, but an already-authenticated or unmanaged port could still host a rogue DHCP server, so it does not directly filter offers.

Zero trust assumes no implicit trust by location and continuously verifies every user and device, granting least-privilege access per session to defined resources exactly as described.

• AA perimeter model assumes anything inside the firewall is trustworthy, which is precisely the implicit-trust assumption the architect is deliberately eliminating in this redesign.
• BDefense in depth layers many controls for redundancy, but it does not by definition remove implicit internal trust or mandate continuous per-request verification of identity.
• CLeast privilege limits the rights each identity holds, yet on its own it still permits location-based implicit trust and is only one component of the model described.

802.1X has the supplicant authenticate through the switch authenticator to a RADIUS server, keeping the port unauthorized until credentials are verified, which matches the lobby requirement precisely.

• AAn ACL filters traffic by IP, port, or protocol after a device is already on the network, but it cannot authenticate a device's identity before opening the port.
• CSticky MAC port security binds a port to learned hardware addresses, which are easily spoofed and provide no real credential check, so it does not authenticate device identity.
• DA screened subnet isolates exposed services behind firewalls but performs no per-device identity authentication at the access port, so it cannot gate connections by credential.

An evil twin clones a trusted SSID and presents a stronger signal so clients associate to the attacker, who then captures the credentials they submit, matching every detail described.

• BA deauth attack forcibly disconnects clients by spoofing management frames, but it does not by itself broadcast a duplicate SSID or harvest the credentials users type in.
• CBrute-forcing a PSK works offline against a captured four-way handshake to recover the passphrase, which is unrelated to a parking-lot AP impersonating the SSID to steal logins.
• DBluejacking pushes unsolicited messages over Bluetooth to devices in range and has nothing to do with a duplicate Wi-Fi SSID luring clients to harvest their credentials.

Separation of duties divides a sensitive workflow so that submission and approval require different individuals, ensuring no single person can act alone, exactly as the change process requires.

• ALeast privilege limits how much access any single identity holds, but it would not stop one fully authorized engineer from both submitting and approving the very same change.
• CDefense in depth stacks redundant technical and physical safeguards for resilience, but it does not specifically mandate that approval be performed by someone other than the submitter.
• DImplicit deny is a default-block stance applied to traffic or permissions rules, and it says nothing about dividing a change task between two separate human roles.

Dynamic ARP Inspection intercepts ARP packets on untrusted ports and drops any whose IP-to-MAC binding conflicts with the DHCP snooping table, stopping ARP spoofing precisely as described.

• AMAC filtering permits or blocks ports based on a static list of hardware addresses, but it cannot validate the IP-to-MAC pairings inside ARP packets against any binding table.
• BPrivate VLANs restrict which ports can talk to each other within a subnet, yet they do not examine ARP packet contents or compare them to DHCP snooping bindings.
• DPort mirroring copies frames to a monitoring sensor for passive analysis, but it only observes and never discards forged ARP replies, so it cannot actively block the attack.

Spoofing the victim's IP and sending small queries to open resolvers that return much larger replies reflects and amplifies traffic onto the victim, exactly matching the saturation observed.

• ACache poisoning injects forged name-to-IP records so users are misdirected, but it does not flood a target's bandwidth with unsolicited large responses from many third-party resolvers.
• BA SYN flood ties up TCP state with half-open handshakes, whereas the described traffic is spoofed-source DNS queries reflected off resolvers, which is a different volumetric mechanism.
• CAn on-path attacker would sit between client and resolver to read or modify answers, but here the resolvers are unwitting third parties reflecting traffic, not an interception point.

A honeypot is a deliberately exposed decoy holding no real value, designed to attract intruders so defenders can observe their behavior and collect intelligence, matching the described setup exactly.

• BA screened subnet, or DMZ, segments internet-facing servers from the internal network behind firewalls, but it hosts genuine production services rather than acting as bait for attackers.
• CA jump box is a hardened intermediary administrators connect through to reach sensitive systems, serving a legitimate management role and not functioning as a decoy meant to attract intruders.
• DAn air gap removes any network connection between systems to prevent compromise, which is the opposite of intentionally exposing a baited host that invites attackers to interact with it.

MAC spoofing changes a NIC's hardware address to match an approved one, defeating address-based port filtering and impersonating the trusted device, which is precisely the technique described here.

• AARP poisoning sends forged ARP replies binding the attacker's hardware address to another host's IP for on-path interception, which differs from cloning an approved device's address to pass filtering.
• CMAC flooding sends countless bogus source addresses to exhaust the switch CAM table and force fail-open flooding, a denial tactic unrelated to copying one specific authorized hardware address.
• DIP spoofing falsifies the layer-three source address in packets, but the attack described manipulates the layer-two hardware address to defeat MAC filtering, so the wrong layer is involved.

EAP-TLS performs mutual authentication where the server and each supplicant present digital certificates and no password crosses the link, exactly meeting the policy's requirement for two-way certificate validation.

• APEAP builds a TLS tunnel using only a server certificate and then authenticates the user with an inner password method, so clients are not required to present their own certificates.
• BEAP-MD5 simply hashes a password against a challenge, provides no certificates and no server authentication, leaving it unsuitable for the mutual certificate-based scheme the policy demands.
• DMAC Authentication Bypass admits endpoints that cannot do 802.1X by checking their hardware address, offering no certificates or mutual proof and therefore failing the certificate-based requirement entirely.

Control plane policing applies QoS policers to packets destined for the device's own control plane, capping their rate so floods cannot exhaust the CPU, exactly addressing the spikes described.

• AStorm control limits broadcast, multicast, and unknown-unicast volume on a switch port to contain layer-two storms, but it does not police the traffic punted to a router's CPU.
• BPort security restricts how many hardware addresses may appear on an access port, an access-control measure that does nothing to throttle control-plane traffic reaching the router processor.
• CA transit ACL permits or denies packets passing through the router between networks, yet it is not designed to rate-limit the traffic specifically destined to the control plane.