Which statement best describes anti-spoofing measures?

• A. Anti-spoofing measures are optional if NAT is used.
• B. Anti-spoofing measures rely on internal IP addresses only.
• C. Implement anti-spoofing measures to detect and block forged source IP addresses from entering the network.
• D. Anti-spoofing measures block all traffic from private IP ranges.

Answer: (C)

Anti-spoofing measures ensure that the source IP address on inbound packets is legitimate and matches the network path the packet should have taken. By configuring devices to perform ingress filtering and validate that a packet’s source IP is reachable via the interface it arrives on (and along the correct routing path), you can detect and drop packets with forged source addresses. This directly prevents attackers from masquerading as trusted hosts or using spoofed addresses to bypass controls or conduct attacks. NAT doesn’t solve this problem on its own; translating addresses does not verify who sent the traffic, so anti-spoofing is still needed. It isn’t about blocking all private IP ranges, since legitimate internal traffic uses those addresses; the goal is to stop forged source addresses from entering the network regardless of whether they’re private or public.