Flashcards

Denial-of-Service

Disrupting service availability.

Details DoS and DDoS concepts, attack tools and techniques, botnets, and protective measures such as traffic filtering and response strategies to mitigate service disruptions.

5 minutes 5 Questions

Denial-of-Service (DoS) attacks in the Certified Ethical Hacker (CEH) context represent deliberate attempts to make networks, systems, or services unavailable to legitimate users. These attacks work by overwhelming target resources with excessive traffic or requests, exhausting system capabilities.…

Concepts covered: DoS/DDoS Countermeasures, DoS/DDoS Concepts, DoS/DDoS Attack Techniques, Botnets, DDoS Case Study, DoS/DDoS Attack Tools, DoS/DDoS Protection Tools

Test mode:

Exam (Timed)

Practice (With explanations)

Start practice test

CEH - Denial-of-Service Example Questions

Test your knowledge of Denial-of-Service

Question 1

A multinational e-commerce platform has detected that their payment gateway is experiencing intermittent outages. The security team observes that their servers are receiving a flood of ICMP echo request packets (pings) that appear to be coming from spoofed IP addresses. These packets have unusually large payloads, which is causing network congestion and exhausting bandwidth on their network infrastructure. Legitimate customers are reporting timeout errors when attempting to complete purchases. Which DoS/DDoS attack technique is most likely being used?

SYN Flood Attack using TCP handshake exploitation to overwhelm server connection tables Amplified DNS Reflection Attack leveraging open DNS resolvers to magnify traffic volume ICMP Flood Attack (Ping Flood) Slowloris Attack that depletes connection resources through partial HTTP request handling

Correct Answer: ICMP Flood Attack (Ping Flood)

Based on the scenario description, this is a classic ICMP Flood Attack (Ping Flood). The key indicators are: 1. The servers are receiving a flood of ICMP echo request packets (pings) 2. The packets have spoofed IP addresses 3. The packets have unusually large payloads 4. Network congestion and bandwidth exhaustion are occurring This perfectly describes an ICMP Flood, where attackers send a large volume of ICMP echo request packets with oversized payloads to consume bandwidth and overwhelm the target network infrastructure. The other options are incorrect: Slowloris attacks work by maintaining many connections to the target server and keeping them open for as long as possible by sending partial HTTP requests. This is not what's described in the scenario. SYN Flood attacks involve sending many TCP SYN packets to exhaust connection state tables in servers. The scenario specifically mentions ICMP packets, not TCP SYN packets. Amplified DNS Reflection Attacks use DNS servers to amplify traffic toward a victim, but the scenario specifically mentions ICMP echo requests (pings), not DNS queries.

Question 2

You are a security analyst for a medium-sized e-commerce company. During a major sales event, your network monitoring system alerts you to a sudden spike in traffic from multiple geographic locations, targeting your web servers. The servers are becoming increasingly unresponsive, and customer complaints are rising. Upon initial investigation, you notice thousands of TCP SYN packets flooding your network, but very few SYN-ACK responses are being completed. What type of attack is most likely occurring, and what is the best immediate mitigation strategy?

A SYN flood DDoS attack is occurring. Implement SYN cookies or increase the SYN backlog queue to manage incomplete connections while applying rate limiting at the network edge. A HTTP flood attack is occurring. Set up a Web Application Firewall with custom rules to analyze request patterns and implement CAPTCHA challenges for suspicious traffic sources. A DNS amplification attack is occurring. Deploy DNSSEC on all DNS servers and route traffic through a specialized DDoS scrubbing service that can filter malicious requests. A Slowloris attack is occurring. Modify web server timeout settings and implement connection rate limiting while deploying a reverse proxy to buffer incomplete HTTP requests.

Correct Answer: A SYN flood DDoS attack is occurring. Implement SYN cookies or increase the SYN backlog queue to manage incomplete connections while applying rate limiting at the network edge.

The scenario describes a classic SYN flood DDoS attack, which is characterized by:

1. Sudden spike in traffic from multiple geographic locations
2. Thousands of TCP SYN packets flooding the network
3. Very few SYN-ACK responses being completed
4. Servers becoming unresponsive

In a SYN flood attack, attackers send numerous TCP SYN packets but never complete the three-way handshake by sending the final ACK. This causes the server to keep half-open connections in its backlog queue, eventually exhausting resources.

The best immediate mitigation strategy includes implementing SYN cookies (which allow the server to handle SYN packets even when the backlog queue is full) and increasing the SYN backlog queue, along with rate limiting at the network edge.

The other options are incorrect:

A DNS amplification attack involves sending spoofed requests to DNS servers that generate much larger responses directed at the victim - this doesn't match the TCP SYN packet pattern described.

An HTTP flood attack targets the application layer with seemingly legitimate HTTP GET or POST requests - this doesn't align with the TCP SYN pattern observed.

A Slowloris attack works by opening connections to the target server and keeping them open with partial HTTP requests - while this can cause server unresponsiveness, it doesn't match the specific pattern of SYN packets without completed handshakes described in the scenario.

Question 3

A multinational corporation has detected a suspicious pattern where their web application is experiencing thousands of legitimate-looking HTTP requests per second that appear to be requesting computationally intensive search queries. These requests are causing the application servers to reach 100% CPU utilization while appearing to come from numerous different IP addresses globally. The security team needs to implement a specific solution to protect against this sophisticated HTTP flood attack. Which DoS/DDoS protection tool is most appropriate for this scenario?

A network-layer Access Control List (ACL) that blocks traffic from geographical regions showing unusual activity patterns and implements TCP SYN authentication mechanisms A Web Application Firewall (WAF) with behavioral analysis and rate limiting capabilities An upstream scrubbing service that filters packets based on volume thresholds and known attack signatures A CAPTCHA implementation that requires all users to solve puzzles before performing search operations on the web application

Correct Answer: A Web Application Firewall (WAF) with behavioral analysis and rate limiting capabilities

The described scenario is a sophisticated HTTP flood attack targeting the application layer (Layer 7) of the web application. The key characteristics are: 1. Legitimate-looking HTTP requests 2. Computationally intensive search queries 3. High volume (thousands per second) 4. Distributed source IPs 5. Causing CPU exhaustion A Web Application Firewall (WAF) with behavioral analysis and rate limiting capabilities is most appropriate because it operates at the application layer and can identify abnormal request patterns. It can analyze the actual HTTP requests, detect unusual behavior patterns, and implement rate limiting based on various parameters including request type, frequency, and resource consumption. The upstream scrubbing service option is less effective because it primarily focuses on volume-based attacks and known signatures, but this attack uses legitimate-looking requests that would likely pass signature checks. Network-layer ACLs would be ineffective since the attack is coming from multiple global IPs and uses legitimate HTTP requests, making geographic blocking impractical and TCP SYN authentication irrelevant for application layer attacks. A CAPTCHA implementation could help but would severely impact legitimate user experience for all users, making it too disruptive as a first-line defense. Additionally, sophisticated bots can sometimes bypass CAPTCHA systems.

🎓 Unlock Premium Access

Certified Ethical Hacker + ALL Certifications

🎓 Access to ALL Certifications: Study for any certification on our platform with one subscription
2312 Superior-grade Certified Ethical Hacker practice questions
Unlimited practice tests across all certifications
Detailed explanations for every question
CEH: 5 full exams plus all other certification exams
100% Satisfaction Guaranteed: Full refund if unsatisfied
Risk-Free: 7-day free trial with all premium features!

Start Your Free 7-Day Trial