According to the Certified Ethical Hacker (CEH) IDS/IPS and Evasion Techniques module, packet fragmentation is a technique attackers use to split malicious payloads into smaller fragments so that signature-based IDS sensors may fail to reassemble and inspect the complete packet.
CEH explains that anomaly-based IDS systems are more effective against fragmentation evasion because they analyze behavioral deviations rather than relying solely on known signatures. Fragmented traffic often deviates from baseline network behavior in terms of packet size, sequencing, and reassembly anomalies.
Option A is correct because anomaly-based detection can identify abnormal fragmentation behavior even if the payload itself does not match known signatures.
Option B is unreliable, as attackers do not use consistent intervals.
Option C is impractical, since legitimate traffic may be fragmented.
Option D is less effective because signature-based IDS systems can be bypassed by fragmentation techniques.
CEH recommends packet normalization and anomaly-based detection as effective countermeasures.

To determine which specific system on the sender's side processed the message, the most relevant email- header detail is the sender's mail server, typically revealed in the chain of Received: headers. Each mail transfer agent (MTA) that handles the message adds a Received line indicating the system that passed the message along and the system that received it. By reviewing these headers from bottom to top (earliest hop upward), analysts can identify the originating outbound infrastructure used by the sender-such as the initial submission server, outbound relay, or gateway that first accepted the email for delivery.
The scenario's goal is to "map the sender's outbound email infrastructure" and identify "which specific system on the sender's side processed the message." That maps more directly to identifying the mail server hostnames involved (the MTAs), because those are the processing systems that relayed the email. While an IP address can help locate a host, the question emphasizes the "specific system" responsible for processing, which is typically expressed as the mail server identity (hostname/domain) shown in header traces. In practice, investigators correlate the sender mail server information with IPs, TLS details, and authentication results, but the primary header clue for the processing system is the server identified in Received lines.
Why the other options are less suitable:
Date and time (A) helps with timeline analysis, not identification of the processing system.
Sender's IP address (C) can indicate a source network, but the message may traverse NAT, relays, or cloud email services; it doesn't always name the processing system.
Authentication system used (D) (e.g., SPF/DKIM/DMARC results) indicates validation outcomes, not which server processed the message.
Therefore, the correct choice is B. Sender's mail server.

DNS hijacking occurs when attackers manipulate DNS responses to redirect traffic to malicious servers. CEH v13 clearly identifies DNSSEC (Domain Name System Security Extensions) as the primary defense against such attacks.
DNSSEC adds cryptographic signatures to DNS records, enabling clients to verify authenticity and integrity of DNS responses. Without DNSSEC, attackers can spoof DNS responses even if servers are fully patched.
Changing IP addresses and using LAMP do not address DNS trust. Patching is essential but does not prevent DNS spoofing.
CEH v13 explicitly recommends DNSSEC for preventing cache poisoning and DNS hijacking attacks, making Option C the correct answer.

The symptoms point to a rogue DHCP scenario, which CEH materials commonly describe as a method attackers use to disrupt networks or perform man-in-the-middle attacks. If an unauthorized device begins answering DHCP requests faster than the legitimate DHCP server, endpoints may receive incorrect IP settings such as a fake default gateway or DNS server. This causes loss of connectivity to internal applications like a CRM system and can silently redirect traffic through an attacker-controlled host. The question explicitly mentions "irregular IP assignment attempts" tied to an unfamiliar device, which aligns strongly with rogue DHCP behavior rather than ARP-only manipulation or simple MAC-limit violations.
DHCP snooping is a Layer 2 security feature on Cisco switches that filters untrusted DHCP messages and allows only authorized DHCP servers on trusted ports. When enabled for the affected VLAN, the switch will drop DHCP offers and acknowledgments arriving on untrusted access ports, stopping the rogue device from leasing addresses. Option A, ip dhcp snooping vlan 10, is the command that applies DHCP snooping protection to the specific VLAN experiencing the issue, which matches the "subnet logs" and the localized impact described.
Option B, Dynamic ARP Inspection, primarily mitigates ARP spoofing and relies on DHCP snooping bindings, but it does not directly stop rogue DHCP leasing. Option D, port security, can limit MAC addresses but does not specifically block DHCP server behavior. Option C enables the feature globally but does not target the VLAN; the VLAN-specific activation in A best matches the scenario and the immediate restoration of correct addressing and connectivity.

This scenario best illustrates impersonation. In CEH-aligned social engineering concepts, impersonation occurs when an attacker assumes the identity of a legitimate person, such as an employee, contractor, executive, or vendor, to exploit trust and bypass established procedures. Rachel explicitly "poses as a stressed employee named Laura Bennett" and uses a believable workplace pretext such as a slow laptop and a tight deadline. This is a classic pressure-and-urgency tactic used to lower skepticism and push the target into breaking policy, such as skipping identity verification or accepting unsafe troubleshooting steps.
Although the interaction happens over the phone, the defining technique being tested is not merely the communication channel but the identity deception. Vishing is phone-based phishing, and while the call could be described as vishing in a broad sense, the prompt emphasizes the assumed identity and the help desk's verification controls, which is the hallmark of impersonation. Quid pro quo typically involves offering a benefit or service in exchange for information; here, the core mechanic is Rachel's false identity and her attempt to get the help desk to accept credential sharing as part of support. Shoulder surfing is unrelated because it involves physically observing someone's screen or keystrokes.
CEH best practices to mitigate impersonation include strict caller verification, callback procedures to known numbers, ticket validation, prohibiting password sharing, requiring multi-factor authentication resets via approved workflows, and training help desk staff to recognize urgency-based manipulation and escalate suspicious requests.