CS0-003 · Question #140
CS0-003 Question #140: Real Exam Question with Answer & Explanation
The correct answer is C: 192.168.12.21 made a TCP connection to 209.132.177.50. The security analyst observed a standard TCP three-way handshake initiated by the internal host 192.168.12.21 to the external IP address 209.132.177.50, indicating an established connection.
Question
During routine monitoring a security analyst identified the following enterprise network traffic: Packet capture output: Which of the following BEST describes what the security analyst observed?
Options
- A66.187.224.210 set up a DNS hijack with 192.168.12.21.
- B192.168.12.21 made a TCP connection to 66.187.224.210
- C192.168.12.21 made a TCP connection to 209.132.177.50
- D209.132.177.50 set up a TCP reset attack to 192.168.12.21
Explanation
The security analyst observed a standard TCP three-way handshake initiated by the internal host 192.168.12.21 to the external IP address 209.132.177.50, indicating an established connection.
Common mistakes.
- A. DNS hijacking involves manipulating DNS resolution to redirect traffic, and the described addresses (66.187.224.210, 192.168.12.21) and action do not indicate a DNS hijack without specific DNS query/response packets.
- B. While 192.168.12.21 might make a TCP connection, the correct answer points to 209.132.177.50, implying the packet capture specifically showed activity with this IP.
- D. A TCP reset attack (RST flag) would involve 209.132.177.50 sending an RST packet to abruptly terminate a connection, which is not described as a connection being made.
Concept tested. TCP three-way handshake analysis
Reference. https://learn.microsoft.com/en-us/windows/win32/winsock/tcp-ip-and-the-tcp-ip-protocol-suite
Topics
Community Discussion
No community discussion yet for this question.