During an incident-response call, your client's upstream provider reports that its network is being abused to launch a 40-Gbps DNS amplification attack against multiple victims. The malicious traffic carries forged source addresses that are not part of the provider's IP space. As an ethical hacker, which countermeasure should you recommend the ISP implement first to halt the spoofed traffic from leaving its network?
Implement BCP38/BCP84 ingress source-address filtering on customer-facing edge routers to block packets with spoofed IP sources.
Enable SYN cookies on all public-facing web servers.
Disable Path MTU Discovery on perimeter firewalls to reduce fragmentation.
Raise the maximum UDP payload size for DNS responses to 4096 bytes.
DNS amplification depends on sending DNS queries with spoofed source IP addresses so that large responses are reflected at the unsuspecting victim. The most immediate way for an Internet service provider to stop such abuse is to enable source-address validation-also known as ingress filtering-on all customer-facing edge routers in line with BCP38/BCP84. This drops any packet whose source address is not routable within the ISP's allocated prefixes, preventing spoofed traffic from exiting the network. Techniques like enabling SYN cookies mitigate TCP SYN floods, not reflection-based DNS floods. Increasing allowable UDP payload sizes actually increases amplification potential, while disabling Path MTU Discovery is unrelated to spoofed-source blocking.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is DNS Amplification?
Open an interactive chat with Bash
What is BCP38/BCP84 and how does it prevent spoofed traffic?
Open an interactive chat with Bash
Why doesn't enabling SYN cookies or disabling Path MTU Discovery help prevent DNS amplification?
Open an interactive chat with Bash
What is BCP38/BCP84?
Open an interactive chat with Bash
How does DNS amplification work?
Open an interactive chat with Bash
What is ingress filtering, and why is it important?
Open an interactive chat with Bash
Certified Ethical Hacker (CEH)
Network and Perimeter Hacking
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99 $11.99
$11.99/mo
Billed monthly, Cancel any time.
$19.99 after promotion ends
3 Month Pass
$44.99 $26.99
$8.99/mo
One time purchase of $26.99, Does not auto-renew.
$44.99 after promotion ends
Save $18!
MOST POPULAR
Annual Pass
$119.99 $71.99
$5.99/mo
One time purchase of $71.99, Does not auto-renew.
$119.99 after promotion ends
Save $48!
BEST DEAL
Lifetime Pass
$189.99 $113.99
One time purchase, Good for life.
Save $76!
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .