CND (312-38) Network Defense Simulation

In this simulation, you will analyze a large-scale availability attack. Learn to recognize the signatures of coordinated traffic surges and the defensive measures used to mitigate volumetric exhaustion.

Network Scenario

The enterprise e-commerce platform is hosted behind a high-availability cluster in the corporate Data Center. The network edge is protected by a stateful NGFW and a cloud-based traffic scrubbing service. Monitoring tools indicate a sudden, massive spike in ingress bandwidth usage coming from thousands of geographically dispersed IP addresses.

Topology

• Edge Router: BGP peering with ISP
• Firewall: Cisco Firepower (IPS enabled)
• Web Cluster: Nginx Load Balancers
• Target: Public-facing VIP (203.0.113.10)

Network Status

• Bandwidth: 95% utilization
• CPU Load: Critical (Load Balancers)
• TCP State Table: Near capacity

Traffic & Logs

NetFlow and Firewall log aggregate (last 60 seconds):

[21:45:01] ALERT: Ingress bandwidth exceeded threshold: 8.5 Gbps
[21:45:05] FW_LOG: SRC_RANGE=MULTI DST=203.0.113.10 PROTO=TCP DPT=80 FLAGS=SYN
[21:45:08] IPS_EVENT: "TCP SYN Flood from Multiple Sources" Severity: High
[21:45:12] NETFLOW: 450,000 unique source IPs sending 64-byte packets to 203.0.113.10:80
[21:45:15] LB_STATUS: 503 Service Unavailable - Upstream connection timed out

Question

In which of the following attacks do computers act as zombies and work together to send out bogus messages, thereby increasing the amount of phony traffic?

Expert Analysis

1. Network Activity Overview

The NetFlow data shows a volumetric traffic surge characterized by half-open TCP connections (SYN packets) originating from a massive pool of distinct IP addresses. This coordination indicates the use of a Botnet to exhaust the resources (bandwidth and connection tables) of the target web cluster.

2. Identify attack or behavior

This is a Distributed Denial of Service (DDoS) attack. Unlike a simple DoS, which originates from one source, a DDoS leverages a distributed infrastructure of compromised "zombie" machines controlled by a Command and Control (C2) server.

3. Why correct answer is correct

A DDoS attack (Option C) specifically fits the description of using multiple "zombie" computers (members of a botnet) to collectively send bogus traffic. This distribution makes it difficult to block the attack simply by blacklisting a single IP address.

4. Why others are wrong

Smurf attack: This is a specific type of DDoS/amplification attack that uses spoofed ICMP packets to a broadcast address, but it doesn't describe the general concept of "zombies" working together.
Buffer-overflow: An exploit that targets software vulnerabilities by sending more data than a buffer can handle; it is an integrity/access attack, not primarily a multi-source volumetric attack.
Bonk attack: A legacy denial-of-service attack that sends corrupted UDP packets; it is typically a single-source attack and is considered obsolete.

5. Defensive Action

The defender should initiate DDoS Cloud Scrubbing redirecting traffic via DNS or BGP to a provider that can filter out attack signatures before they hit the edge. On the NGFW, enable TCP Intercept/SYN Cookies and apply rate-limiting to SYN packets per source IP.

Mini Lesson: Traffic Pattern Recognition

Volumetric Attacks: Measured in bits per second (bps). Goal is to saturate the pipe. Mitigated by ISP/Scrubbers.
Protocol Attacks: Measured in packets per second (pps). Targets firewalls and load balancers (e.g., SYN Flood). Mitigated by TCP stack hardening.
Application Layer Attacks: Targets specific functions (e.g., HTTP GET/POST flood). Measured in requests per second (rps). Mitigated by WAFs and rate limiting.

Explore more CND simulations