nerdexam
Exams312-50V9Questions#604
EC-Council

312-50V9 · Question #604

312-50V9 Question #604: Real Exam Question with Answer & Explanation

The correct answer is B: Attacker floods TCP SYN packets with random source addresses towards a victim host. A TCP SYN flood attack exploits the three-way handshake by flooding a victim with SYN packets using spoofed source IPs, exhausting the connection queue. The victim sends SYN/ACK replies that are never acknowledged, leaving half-open connections that consume resources.

Question

When a normal TCP connection starts, a destination host receives a SYN (synchronize/start) packet from a source host and sends back a SYN/ACK (synchronize acknowledge). The destination host must then hear an ACK (acknowledge) of the SYN/ACK before the connection is established. This is referred to as the "TCP three-way handshake." While waiting for the ACK to the SYN ACK, a connection queue of finite size on the destination host keeps track of connections waiting to be completed. This queue typically empties quickly since the ACK is expected to arrive a few milliseconds after the SYN ACK. How would an attacker exploit this design by launching TCP SYN attack?

Options

  • AAttacker generates TCP SYN packets with random destination addresses towards a victim host
  • BAttacker floods TCP SYN packets with random source addresses towards a victim host
  • CAttacker generates TCP ACK packets with random source addresses towards a victim host
  • DAttacker generates TCP RST packets with random source addresses towards a victim host

Explanation

A TCP SYN flood attack exploits the three-way handshake by flooding a victim with SYN packets using spoofed source IPs, exhausting the connection queue. The victim sends SYN/ACK replies that are never acknowledged, leaving half-open connections that consume resources.

Common mistakes.

  • A. Generating SYN packets toward random destination addresses describes a scanning or reconnaissance technique, not a SYN flood DoS attack against a specific victim.
  • C. Generating ACK packets with random source addresses does not fill the connection queue and does not exploit the SYN/SYN-ACK handshake mechanism described.
  • D. Generating TCP RST packets is used in TCP reset attacks to tear down existing connections, not to exhaust the half-open connection queue via the three-way handshake.

Concept tested. TCP SYN flood denial-of-service attack mechanics

Reference. https://www.cisa.gov/sites/default/files/publications/understanding-denial-of-service-attacks_508c.pdf

Community Discussion

No community discussion yet for this question.

Sign up to join the discussion
Full 312-50V9 Practice