The technique demonstrated is Elicitation. CEH social engineering coverage explains elicitation as the art of drawing out information from a target through conversation without making direct or obviously suspicious requests. The attacker carefully guides dialogue so the victim voluntarily reveals sensitive details, often believing the discussion is normal, harmless, or professionally relevant. That is exactly what happens here: the person poses as a recruitment consultant, builds rapport through multiple informal interactions, and gradually obtains information about research, timelines, and internal code names. No credentials are requested and no overt trade or reward is offered, so this is not quid pro quo. It is also not baiting, which typically relies on an enticing object or opportunity, nor a honey trap, which usually involves romantic or intimate manipulation.
CEH materials emphasize that elicitation is especially dangerous because the victim often does not realize that the attacker's questions are strategically sequenced to extract valuable intelligence piece by piece. The gradual, conversational, non-confrontational harvesting of sensitive project details in this scenario is the defining pattern of elicitation.

The IT team's action-capping how many requests a single user can make per second and then delaying or dropping aggressive connections-is the defining behavior of rate limiting. In DDoS conditions, especially when the portal is under a surge of automated or abusive traffic, rate limiting enforces a policy that restricts request frequency from a source (such as an IP address, session, API key, or user identifier). This helps preserve availability by preventing any one client (or a small set of clients) from consuming a disproportionate share of application and infrastructure resources.
The key wording in the scenario is that "aggressive connections are delayed or dropped while most legitimate customers continue to use the service." Rate limiting is designed for precisely this outcome: it introduces friction for abusive traffic patterns while allowing typical user behavior through. Depending on implementation, controls can respond with delays (throttling), temporary blocks, connection resets, or HTTP error responses (for example, "too many requests") when limits are exceeded. This is commonly applied at the edge (reverse proxy/CDN), load balancer, WAF, or application gateway to reduce pressure on backend services.
Why the other options are not the best match:
Shutting Down Services (B) is an extreme measure that sacrifices availability to stop an attack; the scenario explicitly states service largely continues.
Absorb the Attack (C) refers to scaling capacity or using scrubbing centers/CDNs to handle volume without necessarily restricting individual requester behavior; the described control is specifically per-user request caps.
Degrading Services (D) generally means intentionally reducing functionality or quality (e.g., disabling non- essential features) to keep core services alive; here, the main technique is enforcing request-rate thresholds.
Thus, the countermeasure strategy being used is A. Rate Limiting.

According to the CEH Denial-of-Service (DoS/DDoS) module, application-layer DDoS attacks specifically target services such as HTTP, HTTPS, DNS, or APIs by sending requests that appear legitimate but overwhelm server resources.
An HTTP flood attack sends a massive number of HTTP GET or POST requests, consuming CPU, memory, and application threads. CEH highlights that these attacks are particularly dangerous because they:
* Mimic normal user behavior
* Are difficult to distinguish from legitimate traffic
* Bypass traditional network-layer defenses
Option A is correct.
Options B, C, and D operate primarily at the network or transport layers, not the application layer.
CEH stresses that HTTP floods are among the most challenging DDoS attacks to mitigate due to their stealthy nature.

The symptoms strongly match MAC flooding, a classic Layer 2 sniffing-related attack discussed in CEH under switch-based network attacks. Ethernet switches maintain a CAM table that maps MAC addresses to physical switch ports. This table allows the switch to forward frames only to the correct destination port, preventing other hosts from seeing traffic not intended for them. In a MAC flooding attack, an attacker generates a very large number of frames with spoofed, random source MAC addresses. The goal is to overflow the switch CAM table so it can no longer reliably store legitimate MAC-to-port mappings.
When the CAM table is full or unstable, many switches fail open by flooding frames out of multiple ports, behaving more like a hub for unknown destinations. That leads to exactly what Marcus observes: devices on segments that should be isolated start receiving traffic they normally would not see, and overall performance degrades due to excessive broadcast-like forwarding. The prompt also mentions "abnormal traffic patterns overwhelming the network," which aligns with the high-volume frame injection required to poison or overflow the CAM table.
ARP poisoning would primarily redirect traffic through the attacker by manipulating IP-to-MAC mappings within a VLAN, but it would not typically cause widespread flooding and generalized delays across multiple VLANs. DNS cache poisoning affects name resolution rather than Layer 2 forwarding behavior. Switch port stealing targets a specific victim MAC entry to redirect that host's traffic, but the widespread flooding and overload indicators are more characteristic of MAC flooding. Therefore, MAC flooding is the most likely technique in this scenario.

DHCP starvation is a network-level attack in which an attacker sends a massive number of DHCPDISCOVER requests, each appearing to originate from a different MAC address. CEH courseware explains that DHCP servers assign IP leases based on unique MAC addresses, and when the lease pool is exhausted, legitimate clients are unable to obtain valid IP configurations. This disrupts network connectivity and can serve as a precursor to deploying a rogue DHCP server, enabling further attacks such as traffic redirection or credential interception. DHCP starvation is different from ARP spoofing, which manipulates MAC-IP mappings, or DNS poisoning, which corrupts domain resolution. Rogue DHCP relay attacks involve forwarding DHCP packets to unauthorized servers, not depleting leases. The scenario described-rapid MAC address spoofing and exhaustion of DHCP leases-matches the precise definition of DHCP starvation as documented in CEH materials.