The CEH Network Scanning module explains that ICMP Echo Requests are often filtered or blocked by firewalls, routers, or host-based security controls as a defensive measure to reduce reconnaissance exposure.
When systems fail to respond to ICMP Echo Requests but continue to function normally for other services, CEH indicates that this behavior typically means ICMP traffic is being blocked, not that the host is offline or compromised.
Option B is correct.
Option A would affect all services.
Option C lacks supporting indicators.
Option D is speculative and unreliable.
CEH emphasizes that ICMP filtering is common in hardened networks.

CEH v13 details that fragmentation attacks are a common IDS evasion strategy. Signature-based IDS systems depend on reassembling packets to detect malicious patterns. When attackers fragment TCP headers into smaller segments, the IDS may be unable to reconstruct the original packet sequence, especially if the fragments are intentionally crafted to confuse reassembly buffers. Meanwhile, the target host typically recombines the fragments correctly, allowing the scan or payload to pass undetected. This technique is specifically discussed under IDS evasion methods, where fragmentation prevents complete packet inspection.
Options A and B describe unrelated evasion mechanisms such as IP spoofing and MAC spoofing, and Option C does not fundamentally affect IDS reconstruction. The tester is clearly using packet fragmentation to evade detection while still mapping open ports successfully.

The symptoms point directly to a Slowloris attack, which CEH materials classify as an application-layer denial-of-service technique that targets web servers by exhausting their available concurrent connection slots rather than saturating bandwidth. In a Slowloris attack, the attacker opens many HTTP or HTTPS connections to the server and then keeps them alive as long as possible by sending partial, incomplete HTTP requests or very slow header transmissions at timed intervals. Because the requests are never fully completed, the server keeps the connections open, waiting for the remainder of the request. Over time, the server's maximum connection limit is consumed, and legitimate users cannot establish new sessions, even though overall network traffic may remain relatively low.
That exact pattern is described in the scenario: the server is "struggling to accept new connections," the
"maximum connection limit is nearly reached," and there is "no significant spike in overall network traffic." This is a classic indicator of low-and-slow DoS behavior, which can be harder to detect because it does not resemble a high-volume flood.
A SYN Flood attack can also exhaust connection resources, but it typically creates a large number of half- open TCP connections and is usually more apparent in network-level telemetry and SYN backlog behavior. A UDP Flood generally causes a noticeable traffic spike. "Peer-to-Peer Attack" describes a botnet architecture style, not the specific technique used here. Therefore, the attack being simulated is Slowloris.

The correct answer is Clone Phishing. CEH social engineering material explains that clone phishing occurs when an attacker takes a legitimate message previously received by the victim, duplicates its appearance and content, and modifies a malicious element such as a link or attachment. That matches this scenario exactly:
the attacker reused genuine branding, the original format, sender display style, and subject line, then changed the embedded hyperlink so users would reauthenticate on a fake portal. Consent phishing is a different cloud- focused technique involving malicious OAuth authorization requests. Search engine phishing relies on manipulating search results so victims voluntarily navigate to a fake site. Tabnabbing involves changing the content of an inactive browser tab to a phishing page. None of those fit as closely as clone phishing. CEH guidance stresses that clone phishing is highly convincing because the message is based on a real prior communication that the victim may remember and trust. Since the attacker preserved almost everything from a legitimate message and altered only the actionable malicious link, the scenario is a textbook example of Clone Phishing.

In CEH v13 Information Security and Ethical Hacking Overview, script kiddies are defined as individuals with limited technical knowledge who rely on pre-written tools, scripts, and exploits created by others to carry out attacks. They typically lack a deep understanding of how the underlying exploits work.
CEH v13 categorizes attackers based on skill level and intent. Script kiddies sit at the lower end of the skill spectrum. They often download exploit kits, automated scanners, or attack frameworks and run them with minimal customization. While their attacks may be unsophisticated, they can still cause damage due to the availability of powerful tools.
Option B accurately reflects this definition. Options A and D describe skilled attackers or programmers, which contradicts the CEH classification. Option C is incorrect because ethical hackers use tools responsibly with authorization and possess a strong understanding of security principles.
CEH v13 emphasizes that although script kiddies are less skilled, they pose a risk because automation allows them to exploit known vulnerabilities at scale. This is why organizations must patch systems promptly and implement baseline security controls.
Thus, Option B is the correct answer.