nerdexam
EC-Council

312-50V9 · Question #128

What is a successful method for protecting a router from potential smurf attacks?

The correct answer is D. Disabling the router from accepting broadcast ping messages. A smurf attack exploits directed broadcasts to amplify ICMP traffic against a victim, and disabling broadcast ping acceptance on the router eliminates the amplification vector.

Denial of Service

Question

What is a successful method for protecting a router from potential smurf attacks?

Options

  • APlacing the router in broadcast mode
  • BEnabling port forwarding on the router
  • CInstalling the router outside of the network's firewall
  • DDisabling the router from accepting broadcast ping messages

How the community answered

(31 responses)
  • A
    16% (5)
  • B
    10% (3)
  • C
    3% (1)
  • D
    71% (22)

Why each option

A smurf attack exploits directed broadcasts to amplify ICMP traffic against a victim, and disabling broadcast ping acceptance on the router eliminates the amplification vector.

APlacing the router in broadcast mode

Placing the router in broadcast mode would increase its participation in broadcast traffic, worsening exposure to smurf-style amplification attacks rather than mitigating them.

BEnabling port forwarding on the router

Enabling port forwarding on the router is unrelated to smurf attacks and does nothing to block ICMP directed broadcast amplification.

CInstalling the router outside of the network's firewall

Installing the router outside the firewall changes its network position but does not address the core mechanism of smurf attacks, which rely on directed broadcast processing regardless of placement.

DDisabling the router from accepting broadcast ping messagesCorrect

In a smurf attack, the attacker sends ICMP echo requests to a network broadcast address with the victim's IP spoofed as the source, causing all hosts to reply to the victim. Disabling the router from processing directed broadcast ICMP messages - via commands like 'no ip directed-broadcast' on Cisco IOS - prevents the router from forwarding these amplified replies, neutralizing the attack at its source.

Concept tested: Smurf attack mitigation via directed broadcast disabling

Source: https://www.cisco.com/c/en/us/support/docs/ip/internet-control-message-protocol-icmp/13787-39.html

Topics

#smurf attack#DDoS mitigation#broadcast ping#router hardening

Community Discussion

No community discussion yet for this question.

Full 312-50V9 Practice