An HTTP flood is an application-layer (Layer 7) DoS/DDoS technique that targets web application resources by sending large volumes of seemingly valid HTTP GET/POST requests. Because the traffic can look
"legitimate" at the protocol level, controls that primarily focus on network/transport characteristics (such as basic firewalls) are often insufficient. The tool described in the scenario is explicitly inspecting and filtering malicious HTTP traffic while allowing legitimate customer requests-that behavior aligns most directly with a Web Application Firewall (WAF).
A WAF is designed to protect web applications by analyzing HTTP/S requests and responses, applying security rules that detect and block abnormal or malicious patterns. In an HTTP flood scenario, a WAF can enforce rate limiting, detect request anomalies (e.g., repeated requests to resource-intensive endpoints like checkout), identify bot-like behavior, and apply signatures/behavioral policies to mitigate attacks while continuing to permit valid users. The key clue is the focus on HTTP-level inspection and filtering to maintain service continuity-a classic WAF use case during Layer 7 attacks.
Why the other options are less suitable:
A Load Balancer (A) improves availability by distributing traffic across servers, but it does not inherently inspect and filter malicious HTTP requests. It can help absorb load, yet it's not primarily a security inspection
/filtering control.
An Intrusion Prevention System (C) can block malicious activity, but many IPS deployments are stronger at network/transport-layer patterns and may not provide the same depth of application-aware HTTP policy enforcement as a WAF for targeted web endpoints.
A traditional Firewall (D) mainly filters by IP/port/protocol and cannot reliably distinguish malicious vs legitimate HTTP GET/POST floods when they use allowed ports (80/443).

CEH v13 explains that WPA2-PSK security relies on the strength of the pre-shared key. Once the 4-way handshake is captured, the attacker must attempt offline cracking. CEH emphasizes that the dictionary attack is the most efficient and commonly used cracking method because it tests structured wordlists, human-derived passwords, and hybrid permutations, dramatically reducing time compared to full brute force. Brute forcing (Option B) is computationally heavy and often impractical unless the password is extremely short. XSS (Option A) and SQL injection (Option D) have no relevance to WPA2 authentication, which occurs at the wireless protocol level, not the router's web interface. The dictionary attack is highlighted in CEH as the principal technique used with tools like aircrack-ng, hashcat, and pyrit, allowing rapid key testing using optimized GPU or CPU cracking. Thus, Option C is the most effective and CEH-aligned method.

The command that best matches Bob's goal is ntpq -p. In CEH-aligned coverage of network services and operational troubleshooting, NTP is highlighted as a critical dependency because inaccurate time can break authentication, distort logs, and cause incorrect transaction ordering. When investigating suspected time drift, the most useful first step is to view the active NTP associations and their quality metrics. The ntpq utility queries an NTP daemon and reports peer status and performance data. Specifically, ntpq -p displays a peer table that includes each configured or discovered time source along with fields such as delay, offset, and jitter.
These values help determine whether the server is locked to a stable source or being influenced by a poor or rogue time server. Offset indicates how far the local clock differs from the peer, delay reflects network latency to the peer, and jitter shows the variability in timing measurements, all of which are directly mentioned in the question.
Option A, ntptrace, is used to trace the chain of NTP servers back to a reference clock and is useful for understanding hierarchy, but it does not provide the detailed delay, offset, and jitter peer metrics in the same way. Option C, ntpdc, is an older monitoring tool that can query NTP, but CEH references more commonly emphasize ntpq for peer statistics and associations. Option D is a generic ntpq invocation with interactive command support, but the -p option is the explicit mode that outputs the peer list with the required metrics.

WPA2-PSK networks authenticate users using a pre-shared key derived from a passphrase. After capturing the 4-way handshake, CEH teaches that the standard and most effective method to recover the key is to perform an offline dictionary attack, where wordlist entries are hashed and compared against the captured handshake values. Offline cracking avoids detection and is significantly faster than brute-force attempts.

Passive reconnaissance focuses on collecting intelligence without interacting with the target's systems. CEH materials emphasize reviewing publicly available information, including leaked documents, breach data, reports, or exposed metadata, as this yields internal network structure details while generating no detectable traffic. This method avoids triggering monitoring systems and aligns with stealth requirements for covert intelligence gathering.