Exam SY0-601 topic 1 question 149 discussion

Answer: MAC flooding The question mentions that the table is on Layer 2 which is the Data link layer. The data-link layer is where switches operates on to move traffic. Switches will use MAC addresses to find the physical address of the device. This is because the Layer 2 address(MAC Address) will be unique on the local network. MAC flooding is a cyber attack that overflows the MAC Table (Layer 2 Table) of switches by sending out invalid MAC addresses. When a MAC Address table is full, the switch is no longer able to save new addresses, so it will enter into fail-open mode and begin broadcasting data (like a hub) to all ports. This will allow an attacker to get data packets intended for another computer and be able to steal sensitive information.

Took the exam today and passed with a 775. About 90% of the questions are from this dump. This question is in the exam.

while the question leads you to MAC flood (because of hundreeds of records), the question says - attacher was able to capture traffic between endpoints. MAC flooding will not allow you to do that. MAC flood is a DoS attack. while arp poisoning is exactly the method allowing an attacker to capture traffic (spoof an IP). this again utilises L2 (where ARP resides) not quite clear if the question is asking us what type of attack allows us to pretent and catpure traffic, or what type of attach creates hundreds of records in the arp table on a switch

In MAC flooding (also known as MAC address table overflow attack), an attacker sends a large number of frames to a network switch with fake source MAC addresses, causing the switch's MAC address table to become full. When the MAC address table is full, the switch will operate in "fail-open" mode and start broadcasting traffic to all ports instead of sending it only to the appropriate port, effectively turning it into a hub-like behavior. This allows the attacker to capture network traffic from multiple workstations on the network, as mentioned in the scenario.

Based on the provided information, the attack that MOST likely occurred is MAC flooding, as the Layer 2 address table has hundreds of entries that are overwhelming the switch's ability to forward frames efficiently. This is a common technique used in denial-of-service (DoS) attacks, where the attacker floods the switch's MAC address table with fake addresses, causing it to slow down or stop forwarding frames altogether. SQL injection and DNS spoofing are application layer attacks, while ARP poisoning involves modifying ARP tables to redirect network traffic.

The attack that has most likely occurred is MAC flooding. MAC flooding is a type of network attack that involves sending a large number of frames with different source MAC addresses to a switch. This causes the switch to flood its address table and forward all traffic to all ports, allowing an attacker to collect network traffic between workstations throughout the network.

Hundreds of entries, I would assume its flooding

All the other answers involve an attack that changes data that is already present this question states that there are hundreds of entries indicating flooding.

Mac Flooding "Layer 2.."