nerdexam
Cisco

352-001 · Question #40

You are a network designer and are responsible for ensuring that the network you design is secure. How do you plan to prevent infected devices on your network from sourcing random DDoS attacks using f

The correct answer is D. Unicast RPF strict mode. Unicast RPF strict mode prevents DDoS attacks using forged source addresses by verifying that the source IP of every incoming packet is reachable via the same interface it arrived on, dropping packets that fail this reverse path check.

Designing Security

Question

You are a network designer and are responsible for ensuring that the network you design is secure. How do you plan to prevent infected devices on your network from sourcing random DDoS attacks using forged source addresses?

Options

  • AACL-based forwarding
  • BACL filtering by destination
  • CUnicast RPF loose mode
  • DUnicast RPF strict mode

How the community answered

(19 responses)
  • A
    5% (1)
  • B
    11% (2)
  • C
    5% (1)
  • D
    79% (15)

Why each option

Unicast RPF strict mode prevents DDoS attacks using forged source addresses by verifying that the source IP of every incoming packet is reachable via the same interface it arrived on, dropping packets that fail this reverse path check.

AACL-based forwarding

ACL-based forwarding uses permit/deny rules based on predefined address ranges and does not dynamically verify source addresses against the routing table, making it unable to generically block all spoofed source addresses.

BACL filtering by destination

ACL filtering by destination inspects the destination address of packets to control forwarding, and has no mechanism to detect or block packets with forged source addresses.

CUnicast RPF loose mode

Unicast RPF loose mode only checks that the source address exists anywhere in the routing table via any interface, not that it is reachable through the specific ingress interface, which allows spoofed addresses that happen to exist in the routing table to pass unchallenged.

DUnicast RPF strict modeCorrect

Unicast RPF strict mode performs a FIB lookup on the source address of each incoming packet and drops any packet whose source address is not reachable through the ingress interface; since forged source addresses used in DDoS attacks typically cannot pass this reverse path check, infected devices on the network are unable to successfully send spoofed packets beyond the ingress router. This is the standard mechanism recommended by BCP38 for anti-spoofing at network edges.

Concept tested: Unicast RPF strict mode anti-spoofing source validation

Source: https://www.cisco.com/c/en/us/about/security-center/unicast-reverse-path-forwarding.html

Topics

#Unicast RPF strict mode#DDoS prevention#IP spoofing#source address validation

Community Discussion

No community discussion yet for this question.

Full 352-001 Practice