ISC2 Systems Security Certified Practitioner (SSCP) Practice Question
An online retailer hosts its e-commerce site in its on-premises data center behind a 1 Gbps Internet circuit and a stateful firewall that can forward up to 500 Mbps. Over the past week, attackers have launched UDP reflection floods that completely saturate the circuit, making the site unreachable. Management requests a mitigation that preserves availability while requiring no significant changes to internal network equipment. Which approach best satisfies these requirements?
Increase the SYN backlog queue on each web server to handle more half-open TCP connections.
Enable port-security on core switches to limit the number of source MAC addresses allowed on each port.
Route inbound traffic through a cloud-based DDoS scrubbing service or CDN that filters attacks at distributed edge nodes before forwarding clean traffic to the data center.
Replace the existing firewall with a 10 Gbps model and configure it to drop all inbound UDP packets.
A cloud-based DDoS scrubbing or content-delivery service advertises the site's IP space with Anycast and absorbs largeāscale volumetric attacks in geographically distributed edge locations. Only clean, rate-limited traffic is forwarded over the organization's 1 Gbps link, so the circuit and existing 500 Mbps firewall are not overrun, and no internal hardware upgrades are needed. Increasing the server's SYN backlog addresses only TCP SYN floods and does nothing for the link-saturating UDP traffic. Port-security on LAN switches mitigates local MAC flooding, not Internet-borne DDoS. Replacing the firewall with a higher-capacity model or blocking all UDP may still leave the ISP link congested and constitutes a major infrastructure change.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is a cloud-based DDoS scrubbing service?
Open an interactive chat with Bash
What is UDP reflection flooding and why does it saturate a network circuit?
Open an interactive chat with Bash
How does Anycast technology help mitigate DDoS attacks?
Open an interactive chat with Bash
ISC2 Systems Security Certified Practitioner (SSCP)
Network and Communication Security
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99 $11.99
$11.99/mo
Billed monthly, Cancel any time.
$19.99 after promotion ends
3 Month Pass
$44.99 $26.99
$8.99/mo
One time purchase of $26.99, Does not auto-renew.
$44.99 after promotion ends
Save $18!
MOST POPULAR
Annual Pass
$119.99 $71.99
$5.99/mo
One time purchase of $71.99, Does not auto-renew.
$119.99 after promotion ends
Save $48!
BEST DEAL
Lifetime Pass
$189.99 $113.99
One time purchase, Good for life.
Save $76!
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .