400-007 · Question #147
400-007 Question #147: Real Exam Question with Answer & Explanation
The correct answer is B: It protects the network Infrastructure against spoofed DDoS attacks.. Ingress filtering (defined in RFC 2827 / BCP 38) works by dropping packets at the network edge whose source IP addresses are not reachable through the interface they arrived on. Because DDoS attacks frequently rely on spoofed source addresses to obscure the attacker's identity an
Question
Options
- AIt reduces the effectiveness of DDoS attacks when associated with DSCP remarking to
- BIt protects the network Infrastructure against spoofed DDoS attacks.
- CIt Classifies bogon traffic and remarks it with DSCP bulk.
- DIt filters RFC 1918 IP addresses.
Explanation
Ingress filtering (defined in RFC 2827 / BCP 38) works by dropping packets at the network edge whose source IP addresses are not reachable through the interface they arrived on. Because DDoS attacks frequently rely on spoofed source addresses to obscure the attacker's identity and amplify reflection attacks, ingress filtering removes that capability, protecting the network infrastructure. Option A incorrectly combines ingress filtering with DSCP remarking, which are unrelated functions. Option C describes a QoS action (DSCP marking of bogon traffic), not what ingress filtering does. Option D describes filtering RFC 1918 private addresses, which is a related but distinct practice; ingress filtering is a source-address reachability check, not solely a private-address block.
Community Discussion
No community discussion yet for this question.