The Information Security Officer (ISO) believes that the company has been targeted by
cybercriminals and it is under a cyber attack. Internal services that are normally available to the
public via the Internet are inaccessible, and employees in the office are unable to browse the
Internet. The senior security engineer starts by reviewing the bandwidth at the border router, and
notices that the incoming bandwidth on the router’s external interface is maxed out. The security
engineer then inspects the following piece of log to try and determine the reason for the downtime,
focusing on the company’s external router’s IP which is 128.20.176.19:
11:16:22.110343 IP 90.237.31.27.19 > 128.20.176.19.19: UDP, length 1400
11:16:22.110351 IP 23.27.112.200.19 > 128.20.176.19.19: UDP, length 1400
11:16:22.110358 IP 192.200.132.213.19 > 128.20.176.19.19: UDP, length 1400
11:16:22.110402 IP 70.192.2.55.19 > 128.20.176.19.19: UDP, length 1400
11:16:22.110406 IP 112.201.7.39.19 > 128.20.176.19.19: UDP, length 1400
Which of the following describes the findings the senior security engineer should report to the ISO
and the BEST solution for service restoration?
A.
After the senior engineer used a network analyzer to identify an active Fraggle attack, the
company’s ISP should be contacted and instructed to block the malicious packets.
B.
After the senior engineer used the above IPS logs to detect the ongoing DDOS attack, an IPS
filter should be enabled to block the attack and restore communication.
C.
After the senior engineer used a mirror port to capture the ongoing amplification attack, a BGP
sinkhole should be configured to drop traffic at the source networks.
D.
After the senior engineer used a packet capture to identify an active Smurf attack, an ACL
should be placed on the company’s external router to block incoming UDP port 19 traffic.