nerdexam
Cisco

400-007 · Question #67

You are a network designer and you must ensure that the network you design is secure. How do you plan to prevent infected devices on your network from sourcing random DDoS attacks using forged source

The correct answer is C. unicast RPF strict mode. Unicast RPF strict mode drops packets whose source address does not match the routing table entry for the ingress interface, effectively blocking spoofed-source DDoS traffic.

Designing Security

Question

You are a network designer and you must ensure that the network you design is secure. How do you plan to prevent infected devices on your network from sourcing random DDoS attacks using forged source address?

Options

  • AACL based forwarding
  • Bunicast RPF loose mode
  • Cunicast RPF strict mode
  • DACL filtering by destination

How the community answered

(14 responses)
  • A
    7% (1)
  • B
    14% (2)
  • C
    79% (11)

Why each option

Unicast RPF strict mode drops packets whose source address does not match the routing table entry for the ingress interface, effectively blocking spoofed-source DDoS traffic.

AACL based forwarding

ACL-based forwarding (policy-based routing using ACLs) is used to steer traffic based on match criteria for forwarding decisions, not to validate source address authenticity.

Bunicast RPF loose mode

Unicast RPF loose mode only verifies that the source address exists anywhere in the routing table regardless of which interface the packet arrived on, so it does not block spoofed addresses that correspond to legitimate prefixes.

Cunicast RPF strict modeCorrect

Unicast RPF strict mode checks that the source IP address of each arriving packet is reachable via the same interface on which the packet arrived, using the Forwarding Information Base (FIB). A forged or randomly generated source address is unlikely to match the correct ingress interface, so the packet is dropped at the network edge before it can participate in a DDoS attack.

DACL filtering by destination

ACL filtering by destination address restricts traffic based on where packets are going, not where they claim to be coming from, and provides no protection against forged source addresses.

Concept tested: Unicast RPF strict mode anti-spoofing enforcement

Source: https://www.cisco.com/c/en/us/about/security-center/unicast-reverse-path-forwarding.html

Topics

#uRPF strict mode#IP spoofing#DDoS mitigation#source address validation

Community Discussion

No community discussion yet for this question.

Full 400-007 Practice