Cisco
352-001 · Question #645
352-001 Question #645: Real Exam Question with Answer & Explanation
The correct answer is B: It protects the network infrastructure against spoofed DDoS attacks. Ingress filtering validates source IP addresses on inbound packets, dropping those with forged addresses and thereby protecting the network infrastructure from spoofed DDoS attacks.
Question
What is an effect of using ingress filtering to prevent spoofed addresses on a network design?
Options
- AIt reduces the effect of DDoS attacks when associated with DSCP remaking to Scavenger
- BIt protects the network infrastructure against spoofed DDoS attacks
- CIt filters RFC 1918 addresses
- DIt classifies bogon traffic and remarks it with DSCP bulk
Explanation
Ingress filtering validates source IP addresses on inbound packets, dropping those with forged addresses and thereby protecting the network infrastructure from spoofed DDoS attacks.
Common mistakes.
- A. DSCP remarking to Scavenger class is a QoS mechanism for deprioritizing unwanted traffic, not a function of ingress filtering, which performs source address validation and dropping rather than any remarking action.
- C. Filtering RFC 1918 private addresses is a specific form of bogon filtering and represents only one narrow use case, not the defining or primary effect of ingress filtering as an anti-spoofing control.
- D. Remarking bogon traffic with DSCP bulk is a QoS policy decision unrelated to ingress filtering, which drops spoofed packets outright rather than classifying or queuing them.
Concept tested. Ingress filtering to prevent IP address spoofing and DDoS
Reference. https://www.cisco.com/c/en/us/about/security-center/ingress-filtering.html
Community Discussion
No community discussion yet for this question.