Cisco
352-001 · Question #738
352-001 Question #738: Real Exam Question with Answer & Explanation
The correct answer is A: It protects the network infrastructure against spoofed DDoS attacks. Ingress filtering validates source IP addresses at network ingress points, blocking spoofed-source attacks and preserving the true source address for traceability.
Question
Which two effects of using ingress filtering to prevent spoofed address on a network design are true? (Choose two)
Options
- AIt protects the network infrastructure against spoofed DDoS attacks
- BIt reduces the effectiveness of DDoS attacks when associated with DSCP remarking to
- CIt makes DoS attacks more traceable
- DIt classifies bogon traffic and remarks it with DSCP bulk
- EIt filters RFC 1918 IP addresses
Explanation
Ingress filtering validates source IP addresses at network ingress points, blocking spoofed-source attacks and preserving the true source address for traceability.
Common mistakes.
- B. DSCP remarking is a QoS classification mechanism unrelated to source address validation; combining ingress filtering with DSCP remarking is not a recognized method for reducing DDoS effectiveness.
- D. Ingress filtering drops or blocks packets with invalid source addresses rather than classifying them and remarking them with a DSCP bulk value.
- E. Filtering RFC 1918 addresses is a separate policy applied at Internet-facing borders; ingress filtering specifically validates source addresses against the routing table and does not inherently target private address ranges.
Concept tested. Ingress filtering and anti-spoofing source address validation
Reference. https://www.cisco.com/c/en/us/about/security-center/unicast-reverse-path-forwarding.html
Community Discussion
No community discussion yet for this question.