Which approach limits the impact of DDoS attacks by denying traffic with spoofed addresses?

Unlock all questions

This demo includes only 20 questions. Upgrade to access hundreds of questions, flashcards, exam simulations, and disable ads.

Full question bankExam simulationsFlashcards
From $9.99Unlock all

Prepare for the Certified Ethical Hacker Version 11 Exam with a comprehensive test featuring flashcards and multiple choice questions, each accompanied by hints and explanations to ensure a thorough understanding. Ace your ethical hacking exam with confidence!

Multiple Choice

Which approach limits the impact of DDoS attacks by denying traffic with spoofed addresses?

Explanation:
Anti-spoofing at the network edge through ingress filtering is the idea here. The technique involves discarding packets whose source IP addresses could not have originated from the network they arrived on. RFC 3704 defines this approach and guides how border routers or service providers should filter inbound traffic so that spoofed source addresses are dropped before they can traverse the network. When traffic bearing forged or impossible source addresses is blocked at the edge, the amount of junk traffic that can flood downstream targets or be used in reflection/amplification attacks is greatly reduced. This directly limits the impact of DDoS attacks that rely on spoofed addresses because attackers can’t easily seed the network with believable but false source identities, nor can they leverage those spoofed addresses to magnify bursts of traffic. Other options may still handle some symptoms of a flood—dropping requests, rate-limiting, or using reputation data can help mitigate load—but they don’t address the fundamental problem of spoofed traffic entering the network. Ingress filtering specifically targets and neutralizes spoofed traffic at the source, making it the most effective approach for this scenario.

Anti-spoofing at the network edge through ingress filtering is the idea here. The technique involves discarding packets whose source IP addresses could not have originated from the network they arrived on. RFC 3704 defines this approach and guides how border routers or service providers should filter inbound traffic so that spoofed source addresses are dropped before they can traverse the network. When traffic bearing forged or impossible source addresses is blocked at the edge, the amount of junk traffic that can flood downstream targets or be used in reflection/amplification attacks is greatly reduced. This directly limits the impact of DDoS attacks that rely on spoofed addresses because attackers can’t easily seed the network with believable but false source identities, nor can they leverage those spoofed addresses to magnify bursts of traffic.

Other options may still handle some symptoms of a flood—dropping requests, rate-limiting, or using reputation data can help mitigate load—but they don’t address the fundamental problem of spoofed traffic entering the network. Ingress filtering specifically targets and neutralizes spoofed traffic at the source, making it the most effective approach for this scenario.

More Multiple Choice Questions
Subscribe

Get the latest from Examzify

You can unsubscribe at any time. Read our privacy policy