After your customer discovered that several of its Internet-facing NTP and memcached servers were abused to launch a 1 Tbps reflection/amplification DDoS against other victims, you are asked which single network-layer control would have most effectively prevented the organization from being used as a reflector. What should you recommend?
Apply strict egress filtering to discard any outbound packet that carries a source IP address not assigned to the organization (BCP 38).
Lower the MTU on all perimeter interfaces to 576 bytes to minimize the size of outgoing packets.
Block all inbound ICMP echo-request traffic at the perimeter to eliminate Smurf-style attacks.
Enable TCP SYN cookies on edge firewalls to defend against half-open connection floods.
Reflection and amplification attacks depend on the ability of an attacker to spoof the victim's IP address in small UDP requests sent to misconfigured public services such as NTP, DNS, or memcached. The compromised servers then send much larger replies to the spoofed address, flooding the victim. Enforcing BCP 38/ingress-egress filtering at the edge router-dropping any outbound packet whose source IP address does not belong to the organization's own prefixes-removes the attacker's ability to spoof other networks' addresses, so the servers can no longer serve as reflectors. Reducing MTU only limits packet size but not spoofing, SYN cookies mitigate SYN floods (a different DoS vector), and blocking inbound ICMP echoes defends against classic Smurf attacks but leaves UDP-based reflection channels untouched.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is BCP 38 and why is it important?
Open an interactive chat with Bash
What is a reflection/amplification DDoS attack?
Open an interactive chat with Bash
Why doesn’t lowering MTU, enabling SYN cookies, or blocking ICMP prevent reflectors?
Open an interactive chat with Bash
What is BCP 38 in network security?
Open an interactive chat with Bash
What are reflection and amplification DDoS attacks?
Open an interactive chat with Bash
How does UDP enable spoofing in reflection attacks?
Open an interactive chat with Bash
Certified Ethical Hacker (CEH)
Network and Perimeter Hacking
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99 $11.99
$11.99/mo
Billed monthly, Cancel any time.
$19.99 after promotion ends
3 Month Pass
$44.99 $26.99
$8.99/mo
One time purchase of $26.99, Does not auto-renew.
$44.99 after promotion ends
Save $18!
MOST POPULAR
Annual Pass
$119.99 $71.99
$5.99/mo
One time purchase of $71.99, Does not auto-renew.
$119.99 after promotion ends
Save $48!
BEST DEAL
Lifetime Pass
$189.99 $113.99
One time purchase, Good for life.
Save $76!
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .