nerdexam
F5

101 · Question #462

Data centers often rely on either traditional firewalls or next generation firewalls. Select the core weakness of the traditional or next generation firewalls when it comes to DDoS attacks.

The correct answer is A. They are limited in amount of connections per second and the amount of sustained connections. Both traditional and next-generation firewalls are stateful devices that maintain a connection table, which makes them susceptible to resource exhaustion under DDoS attack volumes. Their fundamental architectural limit is the finite number of connections per second they can estab

Section 4: Security Basics

Question

Data centers often rely on either traditional firewalls or next generation firewalls. Select the core weakness of the traditional or next generation firewalls when it comes to DDoS attacks.

Options

  • AThey are limited in amount of connections per second and the amount of sustained connections
  • BThe cost performance ratio of next generation firewalls is too high.
  • CThe agility of traditional firewalls is too limited when it comes to DDoS attacks.
  • DData center traffic is primarily outbound.

How the community answered

(28 responses)
  • A
    86% (24)
  • B
    4% (1)
  • C
    4% (1)
  • D
    7% (2)

Why each option

Both traditional and next-generation firewalls are stateful devices that maintain a connection table, which makes them susceptible to resource exhaustion under DDoS attack volumes. Their fundamental architectural limit is the finite number of connections per second they can establish and the total concurrent connections they can sustain.

AThey are limited in amount of connections per second and the amount of sustained connectionsCorrect

Firewalls - whether traditional or next-generation - must track every TCP/UDP connection in a state table. A DDoS attack such as a SYN flood or connection flood can exhaust the finite connections-per-second processing rate and the maximum concurrent session capacity, causing the firewall itself to become the bottleneck or failure point rather than protecting downstream resources.

BThe cost performance ratio of next generation firewalls is too high.

Cost-performance ratio is a procurement consideration and not a technical weakness related to how firewalls handle DDoS traffic volumes.

CThe agility of traditional firewalls is too limited when it comes to DDoS attacks.

Describing traditional firewalls as lacking 'agility' is too vague and does not identify the specific technical mechanism by which DDoS attacks overwhelm firewall resources.

DData center traffic is primarily outbound.

Data center traffic is not primarily outbound; DDoS attacks exploit inbound traffic, and this statement does not describe a firewall architectural weakness.

Concept tested: Firewall stateful connection table DDoS vulnerability

Source: https://www.f5.com/solutions/use-cases/ddos-protection

Topics

#DDoS#firewall limitations#connection limits#next-generation firewall

Community Discussion

No community discussion yet for this question.

Full 101 Practice