A sophisticated injection attack bypassed validation using obfuscation. What is the best future defense?
Correct Answer: B
CEH v13 emphasizes that advanced injection attacks often evade input validation through encoding and obfuscation. A Web Application Firewall (WAF) with evasion detection can analyze request patterns, payload behavior, and anomalies in real time. Code reviews are important but reactive. SIEM correlates logs after attacks. 2FA does not prevent injection. Thus, Option B provides the most effective immediate protection.
312-50v13 Exam Question 32
A financial institution's online banking platform is experiencing intermittent downtime caused by a sophisticated DDoS attack that combines SYN floods and HTTP GET floods from a distributed botnet. Standard firewalls and load balancers cannot mitigate the attack without affecting legitimate users. To protect their infrastructure and maintain service availability, which advanced mitigation strategy should the institution implement?
Correct Answer: D
Comprehensive Explanation from CEH v13 Courseware: CEH v13 underscores that modern multi-vector DDoS attacks-particularly SYN floods combined with Layer 7 HTTP floods-cannot be effectively mitigated by traditional firewalls, IPS devices, or local traffic filters. These systems become overwhelmed or risk blocking legitimate clients. CEH emphasizes the use of cloud- based DDoS mitigation platforms that provide traffic scrubbing, distributed filtering, rate shaping, and automatic scaling to absorb massive volumes of malicious traffic. Such services differentiate legitimate versus malicious traffic using global intelligence, behavioral analysis, and multi-layer protection strategies. Increasing bandwidth or blocking broad traffic categories is ineffective and harmful to users. An IPS cannot scale to handle volumetric attacks. Only cloud scrubbing solutions (e.g., Cloudflare, Akamai, AWS Shield Advanced) meet CEH's recommended defenses for high-volume distributed attacks. These services ensure continuous availability and minimize collateral damage by filtering traffic upstream before it reaches the organization's infrastructure.
312-50v13 Exam Question 33
On July 25, 2025, during a security assessment at Apex Technologies in Boston, Massachusetts, ethical hacker Sophia Patel conducts a penetration test to evaluate the company's defenses against a simulated DDoS attack targeting their e-commerce platform. The simulated attack floods the platform with traffic from multiple sources, attempting to overwhelm server resources. The IT team activates a specific tool that successfully mitigates this attack by distributing traffic across multiple servers and filtering malicious requests. Sophia's test aims to verify the effectiveness of this tool in maintaining service availability. Which DoS DDoS protection tool is most likely being utilized by the IT team in this scenario?
Correct Answer: B
A load balancer is the best match because the key mitigation behavior described is distributing incoming traffic across multiple servers to prevent any single system from being overwhelmed. In CEH coverage of availability attacks, one of the most practical architectural defenses against flooding-based DoS and DDoS is to scale horizontally and place a load-balancing layer in front of a server pool. This allows the organization to absorb spikes by spreading connections and requests across multiple backend nodes, improving resilience and maintaining uptime. The scenario also mentions filtering malicious requests. Modern load balancers commonly provide health checks, rate limiting, connection limiting, and integration with access control rules, and they are often deployed alongside DDoS scrubbing or edge protections. Even when the filtering logic is implemented through integrated security policies or upstream services, the defining characteristic in the prompt is traffic distribution across multiple servers, which is a primary function of load balancing and a common CEH- referenced mitigation strategy for volumetric attacks. A web application firewall focuses on inspecting and blocking malicious HTTP and application-layer payloads such as injection, request anomalies, and known attack patterns, but it is not primarily responsible for distributing traffic across multiple servers. An IPS can block suspicious patterns and exploit attempts, yet it does not typically provide the core traffic distribution function described. A traditional firewall enforces network-level rules and may help with rate limits, but it does not inherently balance traffic across a server farm. Therefore, the most likely tool in use here is a load balancer.
312-50v13 Exam Question 34
During a penetration test at Rocky Mountain Insurance in Denver, ethical hacker Sophia Nguyen attempts to evade detection by fragmenting malicious traffic into smaller packets. The IT security team counters her strategy with a system that monitors traffic for deviations from established baselines, flagging behavior that does not match normal network activity. This allows them to stop Sophia's evasion attempts in real time. Which detection technique is the IT team most likely using in this case?
Correct Answer: D
The correct answer is D. Anomaly-Based Detection because the scenario explicitly states that the system "monitors traffic for deviations from established baselines" and flags behavior that does not match normal network activity. In CEH-aligned IDS/IPS concepts, anomaly-based detection (also called behavior-based detection) works by building a profile of what "normal" looks like-such as typical packet rates, protocol usage, session patterns, timing, connection distributions, and expected traffic flows-and then identifying events that deviate significantly from those norms. This makes it particularly useful against evasion techniques and previously unseen patterns, because it is not limited to matching known signatures. Sophia's tactic-packet fragmentation-is a classic evasion approach intended to bypass simplistic inspection systems by splitting malicious payloads or attack patterns across multiple fragments so they are harder to reconstruct or match. A baseline-driven anomaly system can still detect the attack because fragmentation itself (or the resulting traffic characteristics) may appear abnormal: unusual fragment counts, unexpected fragment sizes, atypical reassembly behavior, irregular session characteristics, or protocol violations compared to normal traffic profiles. Because the detection is based on behavior rather than a fixed pattern, it can trigger alerts even if the exact malicious payload is not recognized. Why the other options are less correct: Signature-based detection relies on known patterns and may be evaded when attackers modify payloads or fragment traffic to avoid matches. Stateful packet inspection tracks connection state and can help with session validation, but it is not inherently a baseline deviation detector. Deep packet inspection inspects packet contents and can sometimes reassemble fragments depending on implementation, but the question's key clue is "deviations from established baselines," which directly points to anomaly-based detection. Therefore, the IT team is most likely using anomaly-based detection.
312-50v13 Exam Question 35
During a penetration test at an e-commerce company in Boston, ethical hacker Sophia launches an HTTP flood against the checkout page of the site. The simulated traffic consists of repeated GET and POST requests designed to overload application-layer resources. In response, the IT team activates a security tool that inspects and filters malicious HTTP traffic while allowing legitimate customer requests to pass, ensuring service continuity during the exercise. Which DoS/DDoS protection tool is most likely being used in this scenario?
Correct Answer: B
An HTTP flood is an application-layer (Layer 7) DoS/DDoS technique that targets web application resources by sending large volumes of seemingly valid HTTP GET/POST requests. Because the traffic can look "legitimate" at the protocol level, controls that primarily focus on network/transport characteristics (such as basic firewalls) are often insufficient. The tool described in the scenario is explicitly inspecting and filtering malicious HTTP traffic while allowing legitimate customer requests-that behavior aligns most directly with a Web Application Firewall (WAF). A WAF is designed to protect web applications by analyzing HTTP/S requests and responses, applying security rules that detect and block abnormal or malicious patterns. In an HTTP flood scenario, a WAF can enforce rate limiting, detect request anomalies (e.g., repeated requests to resource-intensive endpoints like checkout), identify bot-like behavior, and apply signatures/behavioral policies to mitigate attacks while continuing to permit valid users. The key clue is the focus on HTTP-level inspection and filtering to maintain service continuity-a classic WAF use case during Layer 7 attacks. Why the other options are less suitable: A Load Balancer (A) improves availability by distributing traffic across servers, but it does not inherently inspect and filter malicious HTTP requests. It can help absorb load, yet it's not primarily a security inspection /filtering control. An Intrusion Prevention System (C) can block malicious activity, but many IPS deployments are stronger at network/transport-layer patterns and may not provide the same depth of application-aware HTTP policy enforcement as a WAF for targeted web endpoints. A traditional Firewall (D) mainly filters by IP/port/protocol and cannot reliably distinguish malicious vs legitimate HTTP GET/POST floods when they use allowed ports (80/443).
