nerdexam
GIAC

GCIH · Question #427

Which of the following makes it difficult to block the source of DNS amplification attacks?

The correct answer is B. UDP packets are easy to spoof. DNS amplification attacks exploit UDP because its connectionless nature makes it trivial to forge the source IP address, preventing accurate attribution and blocking of the true attacker.

Incident Response & Cyber Kill Chain

Question

Which of the following makes it difficult to block the source of DNS amplification attacks?

Options

  • ATCP packets are easy to spoof
  • BUDP packets are easy to spoof
  • CClients require external DNS communications
  • DClients require recursive DNS lookups

How the community answered

(44 responses)
  • A
    7% (3)
  • B
    80% (35)
  • C
    11% (5)
  • D
    2% (1)

Why each option

DNS amplification attacks exploit UDP because its connectionless nature makes it trivial to forge the source IP address, preventing accurate attribution and blocking of the true attacker.

ATCP packets are easy to spoof

TCP packets are significantly harder to spoof because the three-way handshake requires the real source to complete sequence number negotiation, making address forgery impractical.

BUDP packets are easy to spoofCorrect

DNS primarily operates over UDP port 53, and UDP has no connection handshake to verify the source address. An attacker can spoof the victim's IP as the source, causing large DNS responses to flood the victim, and defenders cannot reliably block the real origin because the source addresses in the packets are fabricated.

CClients require external DNS communications

Whether clients need external DNS access is a network policy concern, not the underlying technical reason that source blocking fails in amplification attacks.

DClients require recursive DNS lookups

Recursive DNS lookups describe how resolvers fetch answers on behalf of clients but do not explain why the attacker's true source IP cannot be identified or blocked.

Concept tested: UDP spoofing in DNS amplification DDoS attacks

Source: https://www.cisa.gov/news-events/alerts/2013/03/29/dns-amplification-attacks

Topics

#DNS amplification#UDP spoofing#DDoS#IP spoofing

Community Discussion

No community discussion yet for this question.

Full GCIH Practice