400-007 · Question #67
You are a network designer and you must ensure that the network you design is secure. How do you plan to prevent infected devices on your network from sourcing random DDoS attacks using forged source
The correct answer is C. unicast RPF strict mode. Unicast RPF strict mode drops packets whose source address does not match the routing table entry for the ingress interface, effectively blocking spoofed-source DDoS traffic.
Question
You are a network designer and you must ensure that the network you design is secure. How do you plan to prevent infected devices on your network from sourcing random DDoS attacks using forged source address?
Options
- AACL based forwarding
- Bunicast RPF loose mode
- Cunicast RPF strict mode
- DACL filtering by destination
How the community answered
(14 responses)- A7% (1)
- B14% (2)
- C79% (11)
Why each option
Unicast RPF strict mode drops packets whose source address does not match the routing table entry for the ingress interface, effectively blocking spoofed-source DDoS traffic.
ACL-based forwarding (policy-based routing using ACLs) is used to steer traffic based on match criteria for forwarding decisions, not to validate source address authenticity.
Unicast RPF loose mode only verifies that the source address exists anywhere in the routing table regardless of which interface the packet arrived on, so it does not block spoofed addresses that correspond to legitimate prefixes.
Unicast RPF strict mode checks that the source IP address of each arriving packet is reachable via the same interface on which the packet arrived, using the Forwarding Information Base (FIB). A forged or randomly generated source address is unlikely to match the correct ingress interface, so the packet is dropped at the network edge before it can participate in a DDoS attack.
ACL filtering by destination address restricts traffic based on where packets are going, not where they claim to be coming from, and provides no protection against forged source addresses.
Concept tested: Unicast RPF strict mode anti-spoofing enforcement
Source: https://www.cisco.com/c/en/us/about/security-center/unicast-reverse-path-forwarding.html
Topics
Community Discussion
No community discussion yet for this question.