ISC2 Systems Security Certified Practitioner (SSCP) Practice Question
While investigating suspicious activity, a security analyst reviews Amazon VPC Flow Logs for a fleet of Linux-based EC2 instances that host an internal API. The logs reveal that several instances establish outbound TCP sessions to a single public IP address on port 6667 and keep the connection open for hours, periodically receiving small inbound messages. No approved application uses this port. Based on this behavior, which conclusion is most likely correct?
The instances are performing normal clock synchronization with regional NTP servers.
The instances are conducting SQL injection attacks against external databases.
The instances are beaconing to an IRC-based botnet command-and-control channel.
The instances are participating in an NTP reflection distributed denial-of-service (DDoS) attack.
TCP port 6667 is the default port for Internet Relay Chat (IRC). Many botnets continue to rely on IRC channels for command-and-control (C2). A hallmark of such infections is that compromised hosts open a persistent outbound connection to the IRC server and receive small command messages over that link. NTP reflection activity would involve high-volume UDP traffic to port 123, not a steady TCP session on 6667. Legitimate time synchronization also uses UDP 123 and targets a small, static list of servers. SQL injection attacks travel over HTTP/HTTPS or database service ports such as 1433 or 3306, and do not require IRC. Therefore, the observed pattern most strongly indicates an IRC-based botnet C2 connection.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is IRC and how does it work?
Open an interactive chat with Bash
What distinguishes IRC-based botnets from other types of botnet C2 methods?
Open an interactive chat with Bash
Why is TCP port 6667 significant in detecting suspicious activity?
Open an interactive chat with Bash
ISC2 Systems Security Certified Practitioner (SSCP)
Systems and Application Security
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99 $11.99
$11.99/mo
Billed monthly, Cancel any time.
$19.99 after promotion ends
3 Month Pass
$44.99 $26.99
$8.99/mo
One time purchase of $26.99, Does not auto-renew.
$44.99 after promotion ends
Save $18!
MOST POPULAR
Annual Pass
$119.99 $71.99
$5.99/mo
One time purchase of $71.99, Does not auto-renew.
$119.99 after promotion ends
Save $48!
BEST DEAL
Lifetime Pass
$189.99 $113.99
One time purchase, Good for life.
Save $76!
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .