What mechanism prevents poisoning attacks on the DHCP database?

The correct answer is DHCP Snooping, which is a security feature that helps protect against unauthorized DHCP servers and various types of attacks, including DHCP database poisoning. DHCP Snooping acts as a gatekeeper by filtering DHCP messages between clients and servers in a network. It ensures that only trusted DHCP servers can send legitimate DHCP responses to clients.

When enabled, DHCP Snooping maintains a binding table that contains information about which MAC addresses were assigned which IP addresses. This helps prevent malicious users from injecting false DHCP offers that could redirect traffic or compromise device configurations. By only allowing DHCP messages from predetermined trusted sources, it effectively reduces the risk of man-in-the-middle attacks and helps maintain an accurate and secure DHCP database.

Other options do not offer the specific focused protection against DHCP-related vulnerabilities. For instance, ARP Broadcast is related to the Address Resolution Protocol and does not directly address DHCP security issues. Switch Spoofing pertains to methods attackers might use to compromise switches, but it doesn’t specifically target DHCP database integrity. The 6to4 option is a technique for transmitting IPv6 packets over an IPv4 network and is not related to DHCP security at all. Thus, DHCP Snooping is the most relevant and effective mechanism to prevent poisoning attacks on the DHCP database.