A university’s help desk is receiving reports that Internet access on campus is not functioning. The network administrator looks at the management tools and sees the 1Gbps Internet is completely saturated with ingress traffic. The administrator sees the following output on the Internet router:
The administrator calls the university’s ISP for assistance, but it takes more than four hours to speak to a network engineer who can resolve the problem. Based on the information above, which of the following should the ISP engineer do to resolve the issue?
A. The ISP engineer should null route traffic to the web server immediately to restore Internet connectivity. The university should implement a remotely triggered black hole with the ISP to resolve this more quickly in the future.
B. A university web server is under increased load during enrollment. The ISP engineer should immediately increase bandwidth to 2Gbps to restore Internet connectivity. In the future, the university should pay for more bandwidth to handlespikes in web server traffic.
C. The ISP engineer should immediately begin blocking IP addresses that are attacking the web server to restore Internet connectivity. In the future, the university should install a WAF to prevent this attack from happening again.
D. The ISP engineer should begin refusing network connections to the web server immediately to restore Internet connectivity on campus. The university should purchase an IPS device to stop DDoS attacks in the future.
How to PASS CAS-004 in First Attempt?FULL Printable PDF and Software. VALID exam to help you PASS. |
 |
I choose A.
Comparing A-D
Question: “which of the following should the ISP engineer do to resolve the issue?”
Option D “The university should purchase an IPS device to stop DDoS attacks in the future.” — what is this to be done by ISP Engineer?
Option A stated both key points relevant with ISP.
B may not be practical, and is unnecessary
A & D effectively kill external access to the web server, but do restore internal network activity.
C is silly due to the whack-a-mole process of blocking individual IPs
In reality, they are all sub-optimal, when all you have to do is block external connections to the web server on port 2343. Yes, the attacker will likely change ports.
Just another bad question with bad answers.
D
due to all this traffic sourcing from different IPs and yet the same port, Im thinking he’s spoofing IPs at random. The problem with “C” is the whack-a-mole game the ISP would be playing to block individual IPs.
“A” would shut the attack down and restore service, but only so long as the attacker stopped can you stop black holing IPs destined for your server. Gives you control over your campus network, but your server is useless.
“B” has already been ruled out, since we see the same port number on each line.
Leaves “D”. ISP drops all traffic destined to X.X.23.78 to restore the campus network, Implement an IPS that can identify the patterns and drop those packets.
D
due to all this traffic sourcing from different IPs and yet the same port, Im thinking he’s spoofing IPs at random. The problem with “C” is the whack-a-mole game the ISP would be playing to block individual IPs.
“A” would shut the attack down and restore service, but only so long as the attacker stopped can you stop black holing IPs destined for your server. Gives you control over your campus network, but your server is useless.
“B” has already been ruled out, since we see the same port number on each line.
Leaves “D”. ISP drops all traffic destined to 192.168.23.78 to restore the campus network, Implement an IPS that can identify the patterns and drop those packets.
You can notice that all IPs initiating the SYN packet are using the same port (2343), what is not a normal traffic behavior. This shows us that option B is not possible, since it is a DDoS attack.
I am in doubt between A and C.
Option A would resolve the issue (restore Internet connection), but it would turn the website unavailable.
Option C could be right, since a WAF could help blocking unwanted connections in layer 7. However, we don’t know which layer is the DDoS attack.
The question is asking what would turn back the Internet connection, so I would go with A.
Source: https://aws.amazon.com/shield/ddos-attack-protection/?nc1=h_ls
I totally did not notice the same source ports. I agree with you it’s not normal and likely an attack. I just hate these questions force us to make big assumptions. The “right” answer would be to first confirm whether this is malicious traffic or not before making a drastic decision.
B