CompTIA Security+ (SY0-601) — Question 578

A server administrator is reporting performance issues when accessing all internal resources. Upon further investigation, the security team notices the following:

• A user's endpoint has been compromised and is broadcasting its MAC as the default gateway's MAC throughout the LAN.
• Traffic to and from that endpoint is significantly greater than all other similar endpoints on the LAN.
• Network ports on the LAN are not properly configured.
• Wired traffic is not being encrypted properly.

Which of the following attacks is most likely occurring?

Answer options

• A. DDoS
• B. MAC flooding
• C. ARP poisoning
• D. DHCP snooping

Correct answer: C

Explanation

The correct answer is ARP poisoning because the compromised user's endpoint is impersonating the default gateway by broadcasting its MAC address, which is a typical behavior of ARP poisoning. DDoS refers to overwhelming a service, which does not match this scenario. MAC flooding involves overwhelming a switch with MAC addresses, and DHCP snooping deals with securing DHCP, neither of which directly align with the described issue.