During an investigation of sudden connectivity drops on a switched LAN, you review a live packet capture. You repeatedly see unsolicited ARP reply frames advertising that 192.168.10.1 is at 00:11:22:33:44:55, even though earlier captures mapped that IP to the router's MAC 00:aa:bb:cc:dd:ee. Which observation in the trace is the clearest evidence that an ARP cache-poisoning attack is in progress?
Burst of DHCP DISCOVER and OFFER exchanges with conflicting lease times for the 192.168.10.0/24 scope.
A sudden spike of TCP RST packets between clients and the router immediately before the outages begin.
Multiple ARP reply frames arrive without any matching earlier ARP requests, each asserting a new MAC address for the router's IP.
Frequent ICMP redirect messages pointing hosts to an alternate default gateway on the same subnet.
The hallmark of an ARP cache-poisoning attack is the presence of forged ARP replies that change the normal IP-to-MAC binding. Legitimate ARP operation sends a request, waits for a reply, and the binding remains consistent. Repeated, unsolicited replies (gratuitous ARPs) that claim the same IP address now resides at a different MAC strongly suggest an attacker is force-updating host caches to redirect traffic. DHCP, ICMP, or TCP artefacts do not manipulate the Layer-2 address resolution process and therefore are weaker or irrelevant indicators in this context.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.