Cisco CCNA mock exam questions sample test – Question 304

.Which two features do Cisco routers offer to mitigate distributed denial-of-service (DDoS) attacks? (Choose two.)

A. Anti-DDoS guard
B. Scatter tracing
C. Access control lists (ACLs)
D. Flow control
E. Rate limiting

Correct Answer: CE

Explanation:
Cisco routers use access control lists (ACLs) and blackholing features to help mitigate distributed denial-of-service (DDoS) attacks. A DoS attack is an attack in which legitimate users
are denied access to networks, systems, or resources. One of the most common DoS attacks is the DDoS attack, which is executed by using multiple hosts to flood the network or
send requests to a resource. The difference between DoS and DDoS is that in a DoS attack, an attacker uses a single host to send multiple requests, whereas in DDoS attacks,
multiple hosts are used to perform the same task.
Cisco routers offer the following features to mitigate DDoS attacks:
ACLs: Filter unwanted traffic, such as traffic that spoofs company addresses or is aimed at Windows control ports. However, an ACL is not effective when network address
translation (NAT) is implemented in the network.
Rate limiting: Minimizes and controls the rate of bandwidth used by incoming traffic.
Traffic-flow reporting: Creates a baseline for the network that is compared with the network traffic flow, helping you detect any intrusive network or host activity.
Apart from these features offered by Cisco routers, the following methods can also be used to mitigate DDoS attacks:
Using a firewall, you can block or permit traffic entering a network.
The systems vulnerable to attacks can be shifted to another location or a more secure LAN.
Intrusion Detection Systems (IDS), such as Network Intrusion Detection Systems (NIDS) and Host Intrusion Detection Systems (HIDS), can be implemented to detect intrusive
network or host activity such as a DoS attack, and raise alerts when any such activity is detected.
Anti-DDoS guard and scatter tracing are incorrect because these features are not offered by Cisco routers to mitigate DDoS attacks.
Flow control is incorrect because flow control is used to prevent the loss of traffic between two devices.
Objective:
Infrastructure Security
Sub-Objective:
Configure, verify, and troubleshoot basic device hardening
References:
Cisco > Support > Technology Support > Security and VPN > Authentication Protocols > Technology Information > Technology White Paper > Strategies to Protect Against Distributed
Denial of Service (DDoS) Attacks > Document ID: 13634