Dynamic ARP Inspection mitigates man-in-the-middle attacks that rely on ARP spoofing or ARP poisoning. In an ARP poisoning attack, the attacker sends false ARP messages so victims associate the attacker ' s MAC address with a legitimate IP address, such as the default gateway. Traffic is then redirected through the attacker. DAI counters this by validating ARP packets, usually against the DHCP snooping binding database, and dropping invalid ARP messages on untrusted ports. It is not a worm, malware scanner, or DDoS control. Cisco CCNA 200-301 v1.1 Security Fundamentals tests DAI as a campus access-layer protection because ARP itself has no built-in authentication. The mitigation works best when DHCP snooping is enabled and trusted ports are limited to infrastructure links. The attack category that best fits ARP spoofing is man-in-the-middle, since the attacker positions itself between communicating devices. Therefore, D is correct.