4.4 Sniffing Countermeasures and Detection

One Switch Feature per Attack

CEH expects you to map each Layer 2 attack to the specific switch control that stops it. This is a high-yield, frequently tested pattern.

Port security mitigates MAC flooding and MAC spoofing. It limits the number of MAC addresses learned per port (e.g., a maximum of one or two) and can pin approved MACs (sticky learning). When the limit is exceeded, the port takes a violation action — shutdown (err-disable the port), restrict (drop and log), or protect (silently drop). Because MAC flooding relies on injecting thousands of MACs on one port, capping MACs-per-port breaks the attack at its root.

DHCP snooping mitigates rogue DHCP servers and DHCP starvation. The switch classifies ports as trusted (where the legitimate DHCP server lives — typically uplinks) or untrusted (end-host/access ports). DHCP server messages (OFFER/ACK) arriving on an untrusted port are dropped, so an attacker's rogue server can't lease addresses to victims. As a side benefit, DHCP snooping builds a binding table of legitimate IP-MAC-port-VLAN mappings; rate-limiting DHCP requests on untrusted ports also blunts starvation.

DAI, IP Source Guard, and Encryption

Dynamic ARP Inspection (DAI) is the dedicated control for ARP poisoning. DAI inspects every ARP packet on untrusted ports and validates it against the DHCP snooping binding table (and optional static ARP ACLs). If the sender's IP-to-MAC mapping doesn't match a legitimate binding, the forged ARP is dropped and logged, so the attacker cannot insert themselves as a man-in-the-middle. DAI therefore depends on DHCP snooping being enabled first — a relationship CEH likes to test. Trusted ports (switch-to-switch uplinks) bypass inspection to avoid breaking connectivity; only end-host ports should be untrusted.

Rate-limiting ARP on untrusted ports also prevents ARP-flood DoS.

IP Source Guard extends the binding table to block IP spoofing by filtering source IPs that don't match the snooping binding for that port.

The universal fallback — and the answer when a question gives no switch context — is end-to-end encryption. Even if an attacker successfully sniffs or MITMs the traffic, TLS/HTTPS, SSH, IPsec, and VPNs make the captured bytes unreadable and detect tampering. This is why CEH pushes replacing cleartext protocols: use HTTPS over HTTP, SSH over Telnet, SFTP/SCP over FTP, and SNMPv3 over SNMPv1/2. Encryption doesn't prevent interception, but it neutralizes its value. 1X port authentication**, and network segmentation to shrink the broadcast/MITM domain.

Detecting a Sniffer or Active MITM

Prevention can fail, so CEH also covers detecting that someone is sniffing. Pure passive sniffing is hard to detect (the NIC just listens), but several techniques help:

• Promiscuous-mode detection — tools and methods (e.g., the classic ARP/ICMP "ping" with a wrong destination MAC but correct IP) can reveal hosts whose NICs answer traffic they should have ignored, indicating promiscuous mode.
• ARP-anomaly / MITM detection — monitor for duplicate MACs, gratuitous ARP storms, or a host's MAC suddenly mapping to the gateway IP. arpwatch alerts on IP-to-MAC changes; IDS/IPS signatures flag ARP poisoning.
• Switch logs — DAI and port-security violation logs are direct evidence of an attempted Layer 2 attack.
• Latency and TTL changes — an inserted MITM can add a hop or delay; sudden certificate warnings (from SSL stripping) are user-visible signs.
• Honeytokens — planting fake credentials on the wire and alerting if they're ever used reveals an interceptor.

A defense-in-depth checklist for the exam: enable port security, DHCP snooping, DAI, and IP Source Guard on access ports; encrypt everything end-to-end; segment the network; deploy IDS/IPS with ARP-spoofing signatures; and monitor switch violation logs and arpwatch alerts. When a question pairs a single attack with a single best control, pick the precise mapping (MAC flood→port security, rogue DHCP→DHCP snooping, ARP poison→DAI); when it asks how to protect data despite interception, pick encryption.

Layering the Controls and Avoiding Traps

These switch features are complementary and ordered, and CEH tests the dependencies:

1. Port security first — caps MACs per access port (stops MAC flooding/spoofing).
2. DHCP snooping next — trust the uplink, distrust access ports, drop rogue DHCP, and build the binding table.
3. Dynamic ARP Inspection — requires the snooping binding table to validate ARP and stop poisoning.
4. IP Source Guard — also leans on the binding table to stop IP spoofing.
5. Encryption everywhere — the backstop if anything slips through.

The single most common trap: candidates pick DAI for a rogue DHCP problem or DHCP snooping for an ARP problem. Keep the mapping crisp — rogue DHCP/starvation → DHCP snooping, ARP poisoning → DAI, MAC flooding → port security, IP spoofing → IP Source Guard, interception of secrets → encryption.

Additional hardening CEH may reference: disable unused ports and put them in an unused VLAN; VLAN segmentation and private VLANs to shrink the broadcast/MITM domain; 802.1X network access control so only authenticated devices connect; static ARP entries for critical gateways/servers; and DHCP rate-limiting on untrusted ports.

For detection that complements prevention, remember the sniffer-hunting signals: a NIC answering traffic addressed to a wrong MAC but correct IP (promiscuous-mode test), duplicate-MAC / gratuitous-ARP anomalies (arpwatch, IDS signatures), switch violation logs from port security and DAI, and honeytokens that fire when fake credentials placed on the wire are reused. 4.