PrepAway - Latest Free Exam Questions & Answers

Which two features do Cisco routers offer to mitigate d…

Which two features do Cisco routers offer to mitigate distributed denial-of-service (DDoS) attacks? (Choose
two.)

PrepAway - Latest Free Exam Questions & Answers

A.
Anti-DDoS guard

B.
Scatter tracing

C.
Access control lists (ACLs)

D.
Flow control

E.
Rate limiting

Explanation:
Cisco routers use access control lists (ACLs) and blackholing features to help mitigate distributed denial-ofservice (DDoS) attacks. A DoS attack is an attack in which legitimate users are denied access to networks,
systems, or resources. One of the most common DoS attacks is the DDoS attack, which is executed by using
multiple hosts to flood the network or send requests to a resource. The difference between DoS and DDoS is
that in a DoS attack, an attacker uses a single host to send multiple requests, whereas in DDoS attacks,
multiple hosts are used to perform the same task.
Cisco routers offer the following features to mitigate DDoS attacks:
ACLs: Filter unwanted traffic, such as traffic that spoofs company addresses or is aimed at Windows control
ports. However, an ACL is not effective when network address translation (NAT) is implemented in the
network.
Rate limiting: Minimizes and controls the rate of bandwidth used by incoming traffic.
Traffic-flow reporting: Creates a baseline for the network that is compared with the network traffic flow,
helping you detect any intrusive network or host activity.
Apart from these features offered by Cisco routers, the following methods can also be used to mitigate
DDoS attacks:
Using a firewall, you can block or permit traffic entering a network.
The systems vulnerable to attacks can be shifted to another location or a more secure LAN.
Intrusion Detection Systems (IDS), such as Network Intrusion Detection Systems (NIDS) and Host Intrusion
Detection Systems (HIDS), can be implemented to detect intrusive network or host activity such as a DoS
attack, and raise alerts when any such activity is detected.
Anti-DDoS guard and scatter tracing are incorrect because these features are not offered by Cisco routers to
mitigate DDoS attacks.
Flow control is incorrect because flow control is used to prevent the loss of traffic between two devices.
Objective:
Infrastructure SecuritySub-Objective:
Configure, verify, and troubleshoot basic device hardening

Cisco > Support > Technology Support > Security and VPN > Authentication Protocols > Technology
Information > Technology White Paper > Strategies to Protect Against Distributed Denial of Service (DDoS)
Attacks > Document ID: 13634


Leave a Reply