156-215.80 · Question #512
Which type of attack can a firewall NOT prevent?
The correct answer is A. Network Bandwidth Saturation. A firewall cannot prevent network bandwidth saturation because volumetric attack traffic consumes the upstream network link before packets ever reach the firewall, making on-device filtering ineffective.
Question
Which type of attack can a firewall NOT prevent?
Options
- ANetwork Bandwidth Saturation
- BBuffer Overflow
- CSYN Flood
- DSQL Injection
How the community answered
(34 responses)- A82% (28)
- B3% (1)
- C6% (2)
- D9% (3)
Why each option
A firewall cannot prevent network bandwidth saturation because volumetric attack traffic consumes the upstream network link before packets ever reach the firewall, making on-device filtering ineffective.
Network bandwidth saturation attacks flood the ISP uplink or WAN circuit with massive traffic volumes, exhausting all available bandwidth upstream of the firewall so that legitimate traffic cannot reach the network regardless of firewall rules. Mitigation requires upstream scrubbing centers, ISP-level black-holing, or anycast diffusion - all outside the firewall's enforcement point.
Buffer overflow attacks embed exploit payloads in network traffic, and a firewall with IPS capabilities can inspect packet content and block known exploit signatures before they reach a vulnerable service.
SYN Flood attacks exhaust TCP connection tables, but a stateful inspection firewall can mitigate this by enforcing SYN cookies or connection rate limits at the device level.
SQL Injection attacks are carried in HTTP/HTTPS request parameters, and an application layer firewall or WAF can parse and block malicious SQL strings in the payload.
Concept tested: Firewall limitations against volumetric DDoS bandwidth attacks
Source: https://www.cisco.com/c/en/us/products/security/what-is-a-ddos-attack.html
Topics
Community Discussion
No community discussion yet for this question.