Which statement matches the anti-spoofing example described in the requirements?

• A. Block traffic originating from the Internet with an internal source address.
• B. Block traffic originating from the Internet with a public source address.
• C. Allow traffic from the Internet with an internal source address.
• D. NAT alone is sufficient to prevent spoofed traffic.

Answer: (A)

Anti-spoofing at the network edge relies on filtering traffic so that packets from the Internet cannot pretend to come from internal, non-routable addresses. Internal (private) addresses are not valid on the public Internet, so if a packet arriving on the Internet-facing interface carries one of those internal source addresses, it’s almost certainly spoofed or misconfigured. Dropping such traffic stops attackers from masquerading as internal devices and helps protect the inside network from spoofing-based attacks. NAT by itself doesn’t prevent this, since translation doesn’t validate the authenticity of the source on the path, and allowing or blocking based on public addresses would either let spoofed packets through or block legitimate traffic. In practice, anti-spoofing filters on the edge drop inbound packets with internal sources on the Internet-facing interface, sometimes complemented by path-aware checks like strict uRPF.