70-293 Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure Practice Test

Demo Question 3.

You work as the network security administrator at EliteCertify.com. The EliteCertify.com network consists of a single Active Directory domain named EliteCertify.com. All servers on the EliteCertify.com network run Windows Server 2003 and all client computers run Windows XP Professional. The perimeter network hosts an application server that is used by external users. One morning you examine the intrusion-detection system (IDS) on the router. You notice that an extensive number of TCP SYN packets are being transmitted to the application server on the perimeter network. You notice that the application server is responding to the SYN packets with SYN-ACK packets to a number of different IP addresses. No ACK responses are being received. You work out that all incoming SYN packets seem to be coming from IP addresses located within the subnet address range of the perimeter network. However, there are no computers on the perimeter network that have these specific IP addresses configured. You examine the router logs and determine that the SYN packets are coming from the Internet. You must implement a solution that will prevent the attack from reoccurring until such time that a patch is made available from the specific application vendor. Your solution should not affect acceptable traffic to the application server. You cannot add additional hardware or software when you implement your solution. How will you accomplish the task?

A. Move the application server on the perimeter network to the company intranet. Configure the firewall to allow inbound and outbound traffic on the specific ports and protocols utilized by the application.
B. Create network ingress filters on the router and configure it to drop packets that have local addresses but that appear to come from the public network.
C. Configure access control lists (ACLs) and packet filters on the router to allow perimeter network access to only authorized users and to drop other packets coming from the Internet.
D. Configure a response rule on the IDS to send a remote shutdown command to the application server when a denial-of-service attack occurs.


Display Answer

Answer: B

Explanation: In an ideal world, each router would be configured with ingress filters that would drop packets arriving from "internal" networks whose source address was not a member of the set of network addresses that this router serves. The majority of routers could be so configured. These ingress filters should be required as part of a "good neighbor policy." Ingress filters would not totally eliminate denial of service attacks but could greatly reduce such attacks. An attacker could still spoof an address within a local subnet, but that would permit back-tracking the packets to the source subnet. Incorrect