Cisco
352-001 · Question #788
352-001 Question #788: Real Exam Question with Answer & Explanation
The correct answer is C: unicast RPF strict mode. Unicast RPF strict mode drops packets whose source IP address is not reachable via the same interface the packet arrived on, making IP address spoofing ineffective for DDoS amplification.
Question
You are a network designer and you must ensure that the network you design is secure. How do you plan to prevent infected devices on your network from sourcing random DDoS attacks using forged source address?
Options
- AACL based forwarding
- Bunicast RPF loose mode
- Cunicast RPF strict mode
- DACL filtering by destination
Explanation
Unicast RPF strict mode drops packets whose source IP address is not reachable via the same interface the packet arrived on, making IP address spoofing ineffective for DDoS amplification.
Common mistakes.
- A. ACL-based forwarding (Policy-Based Routing) makes forwarding decisions based on traffic classification but does not validate whether the source IP address is topologically reachable via the arriving interface.
- B. Unicast RPF loose mode only verifies that a route for the source address exists anywhere in the routing table, regardless of which interface - it does not check the specific ingress interface, so asymmetrically routed or spoofed packets can still pass.
- D. ACL filtering by destination restricts traffic based on where packets are going, not where they claim to come from, providing no protection against forged source addresses.
Concept tested. Unicast RPF strict mode preventing IP source address spoofing
Community Discussion
No community discussion yet for this question.