Sniffing

Correct Answer: DNS poisoning targeting the local DNS cache servers in those branch offices

In this scenario, the most likely attack technique is DNS poisoning targeting the local DNS cache servers in those branch offices. Key indicators pointing to DNS poisoning: 1. Intermittent connection failures occurring only in certain branch offices 2. DNS resolution returning incorrect IP addresses 3. The issue only affects users in specific geographic locations 4. Recent phishing emails about an "urgent intranet update" with attachments (likely containing malware to facilitate the attack) DNS poisoning (or DNS cache poisoning) occurs when an attacker corrupts a DNS cache server to return fraudulent IP addresses. This matches the symptoms exactly - only certain geographic locations are affected because only specific local DNS cache servers have been compromised. The other options are less likely: BGP hijacking would typically affect larger network segments and would not be as geographically selective as described. It's also more complex to execute and would likely cause more widespread issues. The sophisticated MitM attack with DNS spoofing and SSL stripping is overly complex for what's described. While possible, the symptoms point more clearly to simple DNS cache poisoning rather than this multi-layered attack. DNS zone transfer exploitation would require compromising the authoritative DNS servers, which would likely cause more widespread issues across all geographic locations rather than just specific branch offices.

Correct Answer: Copying a legitimate MAC address to gain unauthorized network access

A MAC cloning attack primarily involves copying or duplicating a legitimate MAC address that has been authorized on a network, then using this copied address to gain unauthorized access to that network. This technique allows an attacker to bypass MAC filtering security measures by impersonating a device that's already been granted network access. The attacker essentially spoofs their device's MAC address to match one that's already approved on the target network. The other options describe different attack techniques: - Overloading switch MAC tables describes a MAC flooding attack, which aims to overwhelm the switch's MAC address table capacity, potentially forcing it into a hub-like state where it broadcasts packets to all ports. - Creating multiple virtual MAC addresses from a single physical address is not a standard attack technique but rather describes something closer to MAC virtualization used in legitimate network configurations. - Intercepting and modifying MAC address resolution messages describes something more akin to ARP poisoning/spoofing, which operates at a different layer and focuses on manipulating the address resolution protocol rather than simply copying MAC addresses.

Correct Answer: By sending falsified ARP messages to associate the attacker's MAC address with a legitimate IP address

ARP poisoning attacks work by sending falsified ARP messages across a network to associate the attacker's MAC address with the IP address of a legitimate system (like a gateway or server). This allows the attacker to intercept, modify, or stop data in transit. The first option correctly describes the fundamental mechanism of ARP poisoning - the attacker sends fake ARP messages to link their MAC address with a legitimate IP address, allowing them to intercept traffic. The second option is incorrect because ARP poisoning doesn't require flooding the network with requests - it's a targeted attack that only needs to send specific falsified messages. The third option is incorrect because ARP poisoning doesn't permanently modify TCP/IP configurations - it temporarily manipulates ARP tables which map IP addresses to MAC addresses. The fourth option is incorrect because ARP poisoning doesn't use ICMP packets. The attack specifically targets and manipulates the Address Resolution Protocol (ARP), not the Internet Control Message Protocol (ICMP).