During a post-incident review you learn attackers tunneled shellcode through the perimeter by sending overlapping IP fragments with an artificially low TTL, causing the stateful firewall and a signature-based NIDS to reconstruct different byte streams. Management wants a network-level control that blocks both fragmentation and TTL-manipulation evasions with minimal disruption. Which measure should you recommend?
Apply strict egress filtering so only outbound TCP ports 80 and 443 are permitted.
Deploy an inline IPS that performs IP defragmentation and header normalization before forwarding traffic to the firewall.
Enable TCP intercept or SYN cookie protection to drop half-open connections at the firewall.
Lower the router's maximum segment size (MSS) to force external hosts to avoid large packets.
Overlapping fragments and artificially low TTL values are classic IDS and firewall evasion tricks. An inline IPS that normalizes traffic-reassembling IP fragments, rebuilding TCP streams, and adjusting header fields-removes ambiguity so the inspected payload exactly matches what the destination host receives. Lowering MSS only affects TCP segmentation and can break legitimate traffic, TCP intercept/SYN cookies target SYN floods, and outbound-only egress filtering does nothing for inbound evasive fragments. Therefore, traffic normalization by an inline IPS is the most appropriate countermeasure.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What does IP defragmentation mean?
Open an interactive chat with Bash
What is header normalization in cybersecurity?
Open an interactive chat with Bash
How does an inline IPS differ from a firewall in blocking evasions?
Open an interactive chat with Bash
What is an inline IPS and how does it work?
Open an interactive chat with Bash
What is IP fragmentation, and how does it lead to IDS/IPS evasion?
Open an interactive chat with Bash
What is TTL manipulation, and why is it used in evasive attacks?
Open an interactive chat with Bash
Certified Ethical Hacker (CEH)
Network and Perimeter Hacking
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99
$19.99/mo
Billed monthly, Cancel any time.
3 Month Pass
$44.99
$14.99/mo
One time purchase of $44.99, Does not auto-renew.
MOST POPULAR
Annual Pass
$119.99
$9.99/mo
One time purchase of $119.99, Does not auto-renew.
BEST DEAL
Lifetime Pass
$189.99
One time purchase, Good for life.
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .