ISC2 Systems Security Certified Practitioner (SSCP) Practice Question
Your edge router connects the corporate LAN to two upstream ISPs. During a recent incident, tens of thousands of inbound UDP datagrams arrived with randomly forged source IP addresses, saturating an internal service. Management wants a router-level control that automatically drops any packet whose source address could not legitimately be routed back through the interface on which it arrived. Which configuration best meets this requirement?
Deploy a passive network intrusion detection sensor on the router's span port to monitor inbound traffic for malicious signatures.
Require IEEE 802.1X authentication on all internal switch access ports before granting network connectivity.
Increase the maximum transmission unit (MTU) on the WAN interfaces to prevent fragmentation-based attacks.
Enable strict unicast reverse path forwarding (uRPF) on each ISP-facing router interface to perform BCP 38 ingress filtering.
Address-spoofing floods rely on using forged source IP fields. Enabling strict unicast reverse path forwarding (uRPF) - also called BCP 38 ingress filtering - causes the router to verify that the source address of every incoming packet is reachable through the same interface on which the packet was received. Packets that fail this check are discarded, stopping most spoofed-source traffic at the point of entry.
802.1X on access switches controls user authentication but does not validate IP source addresses on a routed interface. Deploying a passive IDS or enabling logging increases visibility but does not automatically block traffic. Changing the router's MTU has no effect on address spoofing. Therefore, enabling strict uRPF/BCP 38 ingress filtering is the most effective countermeasure against the described spoofing attack.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is Unicast Reverse Path Forwarding (uRPF)?
Open an interactive chat with Bash
What is BCP 38 ingress filtering?
Open an interactive chat with Bash
How does strict uRPF differ from loose uRPF?
Open an interactive chat with Bash
ISC2 Systems Security Certified Practitioner (SSCP)
Network and Communication Security
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99 $11.99
$11.99/mo
Billed monthly, Cancel any time.
$19.99 after promotion ends
3 Month Pass
$44.99 $26.99
$8.99/mo
One time purchase of $26.99, Does not auto-renew.
$44.99 after promotion ends
Save $18!
MOST POPULAR
Annual Pass
$119.99 $71.99
$5.99/mo
One time purchase of $71.99, Does not auto-renew.
$119.99 after promotion ends
Save $48!
BEST DEAL
Lifetime Pass
$189.99 $113.99
One time purchase, Good for life.
Save $76!
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .