During a penetration test for a global e-commerce platform in Dallas, ethical hacker Maria simulates a large- scale DoS campaign. Instead of sending attack traffic directly, she forges requests to multiple open services across the internet. These services unknowingly reply to the victim system, multiplying the amount of traffic hitting the target. Within minutes, the victim ' s server is overwhelmed by a flood of responses, even though Maria ' s own machine generated only a small amount of traffic. Which attack technique is Maria most likely demonstrating?
Correct Answer: B
The correct answer is B. Distributed Reflection Denial-of-Service (DRDoS) because the scenario describes the two defining elements of DRDoS: reflection and amplification at scale using third-party systems. Maria "forges requests" (i.e., spoofs the victim's IP address as the source) to "multiple open services across the internet." Those services then send their replies to the spoofed source-the victim-so the victim receives a large volume of unsolicited responses. This is reflection: the attacker does not attack the victim directly; instead, the attacker reflects traffic off other servers. The "multiplying the amount of traffic" indicates amplification: many protocols/services respond with packets significantly larger than the request, so the attacker's small outbound traffic results in a much larger inbound flood against the target. The mention of "multiple open services" and being overwhelmed by a "flood of responses" is classic DRDoS behavior. From a defender's perspective, DRDoS attacks are difficult because the traffic often appears to come from legitimate servers, and the victim is receiving replies to requests it never sent. Mitigations include source address validation (BCP 38 anti-spoofing), rate limiting, filtering/ACLs for abused UDP services, and upstream scrubbing/CDN or DDoS protection. Why the other options are less accurate: Smurf is a specific reflection/amplification attack using ICMP to a broadcast address (now largely mitigated by disabling directed broadcasts). Botnet describes the attacker's infrastructure (many compromised machines) but not the reflection/amplification mechanism; a botnet can be used to launch many types of DDoS attacks. NTP amplification is one specific DRDoS variant using misconfigured NTP servers (UDP/123). The question describes the broader technique across "multiple open services" rather than naming NTP specifically, so the best match is the general category DRDoS. Therefore, Maria is demonstrating a Distributed Reflection Denial-of-Service (DRDoS) attack.
312-50v13 Exam Question 222
A corporation migrates to a public cloud service, and the security team identifies a critical vulnerability in the cloud provider's API. What is the most likely threat arising from this flaw?
Correct Answer: B
The CEH Cloud Computing module identifies cloud APIs as one of the most critical attack surfaces in public cloud environments. APIs control provisioning, configuration, authentication, and management of cloud resources. A vulnerability in a cloud API can allow attackers to: * Bypass authentication * Escalate privileges * Access or modify cloud resources * Create or delete services Option B is therefore correct. Option A relates to availability, not API flaws. Option C is managed by the provider and unrelated to APIs. Option D would require key compromise, not just API weakness. CEH strongly emphasizes API security as a top cloud risk.
312-50v13 Exam Question 223
During an internal red team engagement at a financial services firm, an ethical hacker named Anika tests persistence mechanisms after successfully gaining access to a junior employee's workstation. As part of her assessment, she deploys a lightweight binary into a low-visibility system folder. To maintain long-term access, she configures it to launch automatically on every system reboot without requiring user interaction. Which of the following techniques has most likely been used to ensure the persistence of the attacker's payload?
Correct Answer: B
Creating scheduled tasks is the most likely persistence technique because it can be configured to execute automatically at system startup or on reboot without requiring a user to log in or manually launch anything. In CEH-aligned post-exploitation and persistence concepts, attackers commonly use operating system native mechanisms that blend into normal administrative activity. A scheduled task fits this goal well because it can be named to look legitimate, set to run under a specific account, and triggered by events such as system boot, user logon, or a timed schedule. The scenario explicitly states the payload launches on every reboot without user interaction, which aligns with a boot-triggered scheduled task. Injecting into the startup folder usually triggers execution when a user logs on, not strictly on system reboot, and it depends on an interactive user session. That contradicts the requirement of no user interaction. Modifying file attributes, such as setting hidden or system attributes, improves stealth and makes a file less noticeable, but it does not create an automatic execution mechanism by itself. Installing a keylogger is a capability for capturing keystrokes, not a persistence method, and it does not inherently guarantee execution after reboot unless paired with an auto-start mechanism. Therefore, the action that directly ensures the binary runs after each reboot in a controlled and reliable way is creating scheduled tasks, which is a classic persistence method emphasized in ethical hacking workflows for demonstrating real-world attacker behavior and improving defensive detection and hardening.
312-50v13 Exam Question 224
An e-commerce platform hosted on a public cloud infrastructure begins to experience significant latency and timeouts. Logs show thousands of HTTP connections sending headers extremely slowly and never completing the full request. What DoS technique is most likely responsible?
Correct Answer: A
CEH v13 identifies Slowloris as a low-bandwidth yet highly effective application-layer DoS technique that works by opening many HTTP connections and sending headers very slowly, never completing the request. Because the server must maintain these half-open HTTP sessions, its connection pool becomes saturated, preventing it from servicing legitimate users. Slowloris is particularly dangerous because it does not rely on malformed packets, high traffic volume, or protocol abuses; instead, it mimics legitimate HTTP behavior, making it difficult for firewalls or IDS systems to distinguish malicious traffic. This aligns exactly with the described scenario, where thousands of legitimate-looking HTTP connections are gradually consuming server resources. Fragmentation attacks (Option B) target packet reconstruction, UDP floods (Option C) generate high-bandwidth noise, and SYN floods (Option D) impact the TCP handshake layer, not the HTTP header behavior. Slowloris' unique use of slow HTTP headers directly matches the symptoms described.
312-50v13 Exam Question 225
Which patch management strategy is most effective?
Correct Answer: B
CEH v13 identifies automated patch management as the most secure and scalable approach. Automated tools ensure timely deployment, validation, rollback capability, and compliance reporting. Manual patching increases human error. Applying patches from unknown sources introduces malware risk. Limiting patches contradicts best practices. Therefore, Option B is correct.
