nerdexam
Cisco

352-001 · Question #645

What is an effect of using ingress filtering to prevent spoofed addresses on a network design?

The correct answer is B. It protects the network infrastructure against spoofed DDoS attacks. Ingress filtering validates source IP addresses on inbound packets, dropping those with forged addresses and thereby protecting the network infrastructure from spoofed DDoS attacks.

Designing Security

Question

What is an effect of using ingress filtering to prevent spoofed addresses on a network design?

Options

  • AIt reduces the effect of DDoS attacks when associated with DSCP remaking to Scavenger
  • BIt protects the network infrastructure against spoofed DDoS attacks
  • CIt filters RFC 1918 addresses
  • DIt classifies bogon traffic and remarks it with DSCP bulk

How the community answered

(71 responses)
  • A
    4% (3)
  • B
    93% (66)
  • C
    1% (1)
  • D
    1% (1)

Why each option

Ingress filtering validates source IP addresses on inbound packets, dropping those with forged addresses and thereby protecting the network infrastructure from spoofed DDoS attacks.

AIt reduces the effect of DDoS attacks when associated with DSCP remaking to Scavenger

DSCP remarking to Scavenger class is a QoS mechanism for deprioritizing unwanted traffic, not a function of ingress filtering, which performs source address validation and dropping rather than any remarking action.

BIt protects the network infrastructure against spoofed DDoS attacksCorrect

Ingress filtering - implemented via Unicast Reverse Path Forwarding (uRPF) or inbound ACLs - checks that a packet's source address is reachable through the interface it arrived on, discarding packets with spoofed source IPs before they traverse the network and preventing attackers from hiding behind forged addresses during DDoS attacks.

CIt filters RFC 1918 addresses

Filtering RFC 1918 private addresses is a specific form of bogon filtering and represents only one narrow use case, not the defining or primary effect of ingress filtering as an anti-spoofing control.

DIt classifies bogon traffic and remarks it with DSCP bulk

Remarking bogon traffic with DSCP bulk is a QoS policy decision unrelated to ingress filtering, which drops spoofed packets outright rather than classifying or queuing them.

Concept tested: Ingress filtering to prevent IP address spoofing and DDoS

Source: https://www.cisco.com/c/en/us/about/security-center/ingress-filtering.html

Topics

#ingress filtering#IP spoofing#DDoS protection#uRPF

Community Discussion

No community discussion yet for this question.

Full 352-001 Practice