Quiz Entry - updated: 2026.07.05
What are IP and MAC address spoofing attacks, and how does IP Source Guard (IPSG) prevent them?
IP (Internet Protocol) spoofing uses another device's IP address to impersonate it. MAC (Media Access Control) spoofing changes the attacker's MAC to match a target's, causing the switch to forward the target's traffic to the attacker. IPSG (IP Source Guard) filters traffic based on the DHCP (Dynamic Host Configuration Protocol) snooping binding table, blocking spoofed addresses.
IP Address Spoofing:
- Attacker configures their device with a valid IP belonging to another device on the subnet
- Difficult to mitigate when used inside the same subnet (same broadcast domain)
- Used for: impersonation, bypassing IP-based access controls, hiding attack source
MAC Address Spoofing:
- Attacker changes their NIC (Network Interface Card)'s MAC address to match a known legitimate device
- The switch updates its CAM (Content Addressable Memory) table: the legitimate device's MAC now points to the attacker's port
- Frames destined for the legitimate device are now sent to the attacker
- The attacker must continuously send frames to keep the switch's table pointing to their port
Why there's no native Layer 2 verification:
- Switches have no built-in mechanism to verify the source of MAC addresses
- They simply trust whatever source MAC appears in a frame
- This fundamental trust is what makes MAC spoofing possible
IP Source Guard (IPSG) mitigation:
- Enabled per-port on untrusted access ports
- Checks every packet's source IP against the DHCP snooping binding table
- Packets from IPs not in the binding table → dropped
- Can also verify source MAC:
ip verify source port-security
Go deeper:
IP address spoofing (Wikipedia) — forging the source IP, the attack IPSG filters against the snooping binding table.
MAC spoofing (Wikipedia) — changing the NIC MAC and why it only works within the local segment.