A security analyst is reviewing the following packet capture of an attack directed at a company’s server
located in the DMZ:Which of the following ACLs provides the BEST protection against the above attack and any further
attacks from the same IP, while minimizing service interruption?
A.
DENY TCO From ANY to 172.31.64.4
B.
Deny UDP from 192.168.1.0/24 to 172.31.67.0/24
C.
Deny IP from 192.168.1.10/32 to 0.0.0.0/0
D.
Deny TCP from 192.168.1.10 to 172.31.67.4
It could be B or D there is not enough information.
I think the clue that points to TCP is “Flags[S]” It looks like the attacker is sending SYN packets to the server and finds out what ports are open when/if they respond with a SYN/ACK.
I like C.
For me best answer is C, because the question says “any further attacks from the same IP”.
If you don’t use ACL in C, the attacker can start trying other IP address on the network.
Agree with you Black..I would go with C
Port 5000 is TCP
“Any further attack”
I would say C is the correct answer.
Of course it’s C guys. They dont want headaches thats why you have to block the ip to any ip on your network