2013 Latest Cisco 350-001 Exam Section 4: Spoofing (3 Questions)

Ensurepass
2013 Latest Cisco 350-001 Exam Section 4: Spoofing (3 Questions)

QUESTION NO: 1
The Testking Network is displayed in the diagram below:

You want to block all IP spoofing attacks that originate on the 192.168.1.0 network using a spoofed address outside the 192.168.1.0 range form being sent into the
192.168.2.0 network. However, all other traffic must be permitted. No access lists currently exist on the router. Which of the following configurations would accomplish this task when applied to E1 on TK1 as an input filter?
A. access-list 1 permit 192.168.1.0 0.0.0.255
B. access-list 100 permit ip any 192.168.2.0 0.0.0.255
C. access-list 1 deny 192.168.2.0 0.0.0.255 access-list 1 permit any
D. access-list 1 deny 192.168.2.0 0.0.0.255 access-list 1 deny 192.168.1.0 0.0.0.255 access-list 1 permit any
E. access-list 100 deny ip 192.168.2.0 0.0.0.255 any access-list 100 permit ip any any
Answer: A
Explanation:
The access list in choice A will prevent all incoming traffic sourced from the 192.168.2.0/24 network from interface Ethernet 1 of router TK1 due to the implicit deny all. In the diagram above, hosts on the 192.168.2.0 network should only be a used as a destination for traffic coming from this interface. Only traffic sourced from 192.168.1.0/24 should be seen in the input direction of this interface on TK1. If any traffic does not match the access list on choice A it could only be the result of a spoofed IP address and should be dropped.
Incorrect Answers:
B. This will allow all traffic (from any source) to reach the 192.168.2.0 network. This will not prevent spoofed IP addresses from the network on E1 to go through.
C. This would prevent spoofed packets that were spoofed only from the 192.168.2.0/24 network. This will not prevent all spoofed addresses outside of the 192.168.1.0 network, as required.
D. This will prevent the two networks from communicating at all.
E. This choice could also be used to prevent the spoofed traffic as required, but it will only prevent spoofed traffic that is IP based. Therefore, the access list in choice C is a better fit for this situation.

QUESTION NO: 2
The Testking network is displayed in the exhibit below:

You want to block all Smurf attacks that originate on the 192.168.2.0 network from being sent into the 192.168.1.0 network. However, all other traffic must be permitted. No access lists currently exist on the router. Which of the following configuration excerpt would accomplish this task when applied to E0 on TK1 as an input filter?
A. access-list 1 permit 192.168.2.0 0.0.0.255 access-list 1 deny any
B. access-list 1 deny 192.168.1.0 0.0.0.255 access-list 1 permit any
C. access-list 100 permit ip any 192.168.1.0 0.0.0.255 acess-list 100 deny ip any any
D. access-list 100 deny icmp any 192.168.1.255 0.0.0.0 echo access-list 100 permit icmp any 192.168.1.0 0.0.0.255 echo eccess-list 100 permit ip any any
E. access-list 100 deny icmp any 192.168.1.255 0.0.0.0 echo-reply access-list 100 permit icmp any any echo-reply access-list 100 permit ip any any
Answer: D

Explanation:
Anatomy of a SMURF Attack

A SMURF attack (named after the program used to perform the attack) is a method by which an attacker can send a moderate amount of traffic and cause a virtual explosion of traffic at the intended target. The method used is as follows:
1.
The attacker sends ICMP Echo Request packets where the source IP address has been forged to be that of the target of the attack.
2.
The attacker sends these ICMP datagrams to addresses of remote LANs broadcast addresses, using so-called directed broadcast addresses. These datagrams are thus broadcast out on the LANs by the connected router.
3.
All the hosts which are .alive. on the LAN each pick up a copy of the ICMP Echo Request datagram (as they should), and sends an ICMP Echo Reply datagram back to what they think is the source. If many hosts are .alive. on the LAN, the amplification factor can be considerably (100+ is not uncommon).
4.
The attacker can use largish packets (typically up to ethernet maximum) to increase the .effectiveness. of the attack, and the faster network connection the attacker has, the more damage he can inflict on the target and the target’s network.
Not only can the attacker cause problems for the target host, the influx of traffic can in fact be so great as to have a seriously negative effect on the upstream network(s) from the target. In fact, those institutions being abused as amplifier networks can also be similarly affected, in that their network connection can be swamped by the Echo Reply packets destined for the target. In this example, answer choice D is correct as it prevents all ICMP messages destined to the broadcast IP address. Note: The Cisco IOS command “no ip directed-broadcasts” is also an effective way to prevent smurf and fraggle attacks on the network.
Incorrect Answers:
A. This will permit all traffic sourced from the 192.168.2.0/24 network, including the smurf attack packets.
B. This choice will deny all traffic sourced from the 192.168.1.0 incoming on the e0 interface. Although this is probably a good choice, as it will effectively prevent all spoofed IP traffic (as the 192.168.1.0/24 network should never be a source IP address in the incoming direction of this interface) we wish to only prevent the smurfed traffic, so E is a better choice.
C. This choice will only permit traffic that is destined to the 192.168.1.0 network. If additional networks exist behind the 192.168.1.0 network, such as traffic to the Internet, it will not be allowed through the TK1 router.
E. It would be preferable to stop the attack before the replies are sent, rather than simply filtering the replies.

QUESTION NO: 3
The TestKing network is connected to the Internet as shown in the diagram below:

TestKing1 is currently configured and passing traffic. You want to block all IP spoofing attacks that originate in the Internet from being sent into the 192.168.1.0 network. However, normal traffic must be permitted. No access lists currently exist on the router. What configuration excerpt would accomplish this task when applied to TestKing1?
A. access-list 100 permit ip any 192.168.1.0 0.0.0.255 access-list 100 deny any any
interface Ethernet 0
access-group 100 in

B. ip cef interface Ethernet 0 ip verify unicast reverse-path
C. ip cef interface Ethernet 1 ip verify unicast reverse-path
D. access-list 100 permit icmp 192.168.1.0 0.0.0.255 any echo access list 100 deny ip any any
interface Ethernet 1
access-group 100 out

E. access-list 100 permit icmp 192.168.1.0 0.0.0.255 any echo access list 100 deny ip any any
interface Ethernet 0
access-group 100 in

Answer: B
Explanation:
Use the ip verify unicast reverse-path interface command to mitigate problems caused by malformed or forged (spoofed) IP source addresses that pass through a router. Malformed or forged source addresses can indicate denial-of-service (DoS) attacks based on source IP address spoofing. When Unicast RPF is enabled on an interface, the router examines all packets received on that interface. The router checks to make sure that the source address appears in the routing table and matches the interface on which the packet was received. This “look backwards” ability is available only when Cisco Express Forwarding (CEF) is enabled on the router because the lookup relies on the presence of the Forwarding Information Base (FIB). CEF generates the FIB as part of its operation. Unicast RPF is an input function and is applied only on the input interface of a router at the upstream end of a connection.
Reference:
http://www.cisco.com/en/US/products/sw/iosswrel/ps1835/products_command_reference_chapter09186a00800c
Topic 9: EnterpriseWireless Mobility (50 Questions)
Ensurepass offers Latest 2013 CCIE 350-001 Real Exam Questions , help you to pass exam 100%.