352-001 · Question #40
You are a network designer and are responsible for ensuring that the network you design is secure. How do you plan to prevent infected devices on your network from sourcing random DDoS attacks using f
The correct answer is D. Unicast RPF strict mode. Unicast RPF strict mode prevents DDoS attacks using forged source addresses by verifying that the source IP of every incoming packet is reachable via the same interface it arrived on, dropping packets that fail this reverse path check.
Question
You are a network designer and are responsible for ensuring that the network you design is secure. How do you plan to prevent infected devices on your network from sourcing random DDoS attacks using forged source addresses?
Options
- AACL-based forwarding
- BACL filtering by destination
- CUnicast RPF loose mode
- DUnicast RPF strict mode
How the community answered
(19 responses)- A5% (1)
- B11% (2)
- C5% (1)
- D79% (15)
Why each option
Unicast RPF strict mode prevents DDoS attacks using forged source addresses by verifying that the source IP of every incoming packet is reachable via the same interface it arrived on, dropping packets that fail this reverse path check.
ACL-based forwarding uses permit/deny rules based on predefined address ranges and does not dynamically verify source addresses against the routing table, making it unable to generically block all spoofed source addresses.
ACL filtering by destination inspects the destination address of packets to control forwarding, and has no mechanism to detect or block packets with forged source addresses.
Unicast RPF loose mode only checks that the source address exists anywhere in the routing table via any interface, not that it is reachable through the specific ingress interface, which allows spoofed addresses that happen to exist in the routing table to pass unchallenged.
Unicast RPF strict mode performs a FIB lookup on the source address of each incoming packet and drops any packet whose source address is not reachable through the ingress interface; since forged source addresses used in DDoS attacks typically cannot pass this reverse path check, infected devices on the network are unable to successfully send spoofed packets beyond the ingress router. This is the standard mechanism recommended by BCP38 for anti-spoofing at network edges.
Concept tested: Unicast RPF strict mode anti-spoofing source validation
Source: https://www.cisco.com/c/en/us/about/security-center/unicast-reverse-path-forwarding.html
Topics
Community Discussion
No community discussion yet for this question.