CAS-001 · Question #440
CAS-001 Question #440: Real Exam Question with Answer & Explanation
The correct answer is C: Block traffic with a source IP not allocated to the ISP from exiting the ISP's network.. ISPs contribute to DDoS attacks primarily by allowing spoofed traffic to leave their networks and by hosting compromised customer systems. C - Blocking traffic with a source IP not allocated to the ISP from exiting its network - implements egress filtering (BCP38/RFC2827). This p
Question
Options
- ABlock traffic from the ISP's networks destined for blacklisted IPs.
- BPrevent the ISP's customers from querying DNS servers other than those hosted by the ISP.
- CBlock traffic with a source IP not allocated to the ISP from exiting the ISP's network.
- DScan the ISP's customer networks using an up-to-date vulnerability scanner.
- ENotify customers when services they run are involved in an attack.
Explanation
ISPs contribute to DDoS attacks primarily by allowing spoofed traffic to leave their networks and by hosting compromised customer systems. C - Blocking traffic with a source IP not allocated to the ISP from exiting its network - implements egress filtering (BCP38/RFC2827). This prevents IP address spoofing, which is the foundation of most amplification DDoS attacks; if attackers cannot spoof source IPs, they cannot redirect attack traffic to victims. E - Notifying customers when their services are involved in an attack - helps customers discover and remediate compromised devices (e.g., misconfigured NTP, DNS, or SSDP servers being used as reflectors), directly reducing the ISP's participation in ongoing attacks. The other options are either too restrictive (B - forcing customers to use only ISP DNS), not directly relevant to outbound DDoS contribution (A - blocking traffic to blacklisted IPs is inbound filtering), or legally/logistically problematic (D - scanning customer networks without authorization).
Community Discussion
No community discussion yet for this question.