312-50V10 · Question #61
What is the least important information when you analyze a public IP address in a security alert?
The correct answer is A. ARP. ARP is the least useful tool when analyzing a public IP address because ARP operates only within a local Layer 2 broadcast domain and cannot reach public IPs.
Question
What is the least important information when you analyze a public IP address in a security alert?
Options
- AARP
- BWhois
- CDNS
- DGeolocation
How the community answered
(20 responses)- A90% (18)
- B5% (1)
- C5% (1)
Why each option
ARP is the least useful tool when analyzing a public IP address because ARP operates only within a local Layer 2 broadcast domain and cannot reach public IPs.
ARP (Address Resolution Protocol) resolves IP addresses to MAC addresses strictly within a local network segment and has no ability to interact with or return information about public IP addresses. Because a public IP is outside the local broadcast domain, an ARP request for it will never receive a response. Whois, DNS, and Geolocation are all capable of returning meaningful threat intelligence about a public IP, making ARP the only inapplicable option.
Whois queries return registration, ownership, and abuse contact information for a public IP block, which is directly useful in a security investigation.
Reverse DNS lookups on a public IP can reveal associated hostnames and infrastructure, providing valuable context during alert triage.
Geolocation maps a public IP to an approximate physical location and ASN, which helps analysts assess the geographic origin of a potential threat.
Concept tested: ARP scope limitation versus public IP analysis
Source: https://datatracker.ietf.org/doc/html/rfc826
Topics
Community Discussion
No community discussion yet for this question.