Chapter 45 Β· Tricks & Performance

Trick Questions & Performance Tasks

The DoS and DDoS misconceptions most likely to cost exam points β€” and the performance task that tests whether you can analyze a real amplification attack and build a defense plan.

Trick 1: "A DDoS attack requires the attacker to have more bandwidth than the victim in order to overwhelm them." True or False?
FALSE β€” the attacker does not need their own bandwidth to exceed the victim's. This is precisely what makes DDoS an asymmetric threat.

This is one of the most tested misconceptions in this chapter. The statement sounds logical β€” to overwhelm someone, you need more than they have. But it assumes the attacker only uses their own bandwidth, which is not how DDoS works.

How DDoS actually works:
The attacker issues commands to a botnet of thousands or millions of compromised third-party devices. Each device uses its own internet connection to send attack traffic. The attacker's personal bandwidth is irrelevant β€” they do not participate in the attack traffic directly. They send a command; the botnet generates the traffic.

A botnet of 500,000 home connections each generating 2 Mbps of attack traffic produces 1 Tbps of aggregate attack traffic. The attacker may have a 10 Mbps consumer connection β€” a hundred thousand times less than the attack they just launched. The victim may operate a 100 Gbps internet connection and still be overwhelmed.

Amplification multiplies this further:
With DNS amplification (86Γ—) or NTP amplification (up to 550Γ—), each botnet device's traffic contribution is multiplied before reaching the victim. Even a modest botnet can generate catastrophic traffic volumes via amplification.

Exam tip: The word "asymmetric" in "asymmetric threat" is the answer to why this statement is false. The attacker leverages disproportionate impact from modest personal resources by using botnet scale and amplification. Never assume the attacker needs equivalent or superior personal resources.
Trick 2: "A DoS attack only counts as a DoS if an attacker is deliberately causing the service disruption. An accidental outage caused by a misconfiguration is just an outage, not a DoS." True or False?
FALSE β€” denial of service describes the effect on availability, not the intent. Accidental outages caused by misconfiguration qualify as denial-of-service events, specifically categorized as "friendly DoS."

This trick tests whether you understand that DoS is a category of availability failure, not exclusively a category of malicious attack. The Security+ course explicitly covers "friendly DoS" β€” unintentional denial of service β€” as a distinct and important category.

Why the distinction matters on the exam:
Questions may describe a scenario involving an accidental outage and ask what type of event it is. Candidates who believe "DoS = attacker" will either mis-categorize the event or fail to recognize it as a DoS scenario requiring the same mitigation thinking as a deliberate attack.

The three friendly DoS scenarios from the course:
(1) Layer 2 loop without STP β†’ broadcast storm β†’ network unavailable. No attacker. (2) Large download over a limited connection β†’ bandwidth saturation β†’ production traffic fails. No attacker. (3) Water pipe breaks above the data center β†’ infrastructure failure β†’ services down. No attacker.

All three produce the same result: services are unavailable to legitimate users. The business impact is identical to a deliberate attack. The response and recovery are similar. The prevention strategy (good design, monitoring, redundancy) overlaps significantly with deliberate DoS defenses.

Exam tip: When a question describes a service outage caused by a misconfiguration, a cabling error, or an infrastructure failure β€” especially if it involves a network loop, bandwidth saturation, or physical incident β€” the correct category is "friendly DoS" or "unintentional DoS." Do not require an attacker to classify something as denial of service.
Trick 3: "Blocking all traffic from the IP addresses participating in a DDoS attack is an effective countermeasure that will stop the attack." True or False?
FALSE β€” IP-based blocking is impractical as a primary DDoS defense because the attack uses too many sources, and blocking them causes collateral damage to legitimate traffic.

This misconception is intuitive β€” if you know who is attacking you, block them. It works against simple single-source DoS. Against DDoS, it fails on multiple levels.

Why IP-based blocking fails for DDoS:
(1) Scale: a botnet of 500,000 devices produces 500,000 source IPs. An administrator cannot manually add 500,000 block rules, and automated block rules at that scale consume router/firewall resources faster than the attack traffic itself in some implementations. (2) Collateral damage: botnet devices are real computers belonging to real people β€” home users, small businesses, universities. Their IP addresses are legitimate. Blocking them blocks legitimate users who might be trying to access your service from the same ISP ranges. (3) Rotation: sophisticated botnets rotate which bots are actively attacking, churning through IP addresses faster than blocks can be applied. (4) Reflection amplification: in a DNS amplification attack, the traffic comes from legitimate DNS servers β€” blocking "all traffic from DNS servers" would break DNS for the victim.

What actually works:
Rate limiting (per source IP or per traffic type), anycast routing to distribute traffic across global points of presence, upstream filtering at the ISP or DDoS mitigation provider level, scrubbing centers that distinguish legitimate from attack traffic, and geographic traffic analysis. These approaches handle scale that manual IP blocking cannot.

Exam tip: "Block all attacking IPs" is a distractor answer for DDoS questions. The correct answer is DDoS mitigation services, rate limiting, redundancy, or upstream filtering β€” approaches that handle the distributed, high-volume nature of the attack rather than chasing individual source IPs.
Trick 4: "DNS amplification attacks work because DNS servers have been misconfigured with vulnerabilities that allow attackers to exploit them." True or False?
FALSE β€” DNS amplification exploits the normal, intended behavior of open DNS resolvers, not a vulnerability or misconfiguration in their software.

This misconception conflates "the DNS server is being used for an attack" with "the DNS server has a vulnerability." The DNS server is working exactly as designed. It receives a query and responds with the requested data. There is no software flaw being exploited.

What actually makes it exploitable:
(1) Open resolver configuration: the DNS server is configured to respond to recursive queries from any IP address on the internet, not just its own authorized clients. This is technically a configuration policy choice, not a software vulnerability β€” but it is one that should not be made for public DNS servers. (2) IP spoofing capability: the attacker can forge the source IP in packets because basic IP has no source authentication. If ISPs implemented BCP38 ingress filtering universally, spoofed packets would be dropped at the source network before reaching the resolver. (3) Asymmetric response size: DNS responses are inherently larger than queries for certain record types. This is a design characteristic of the protocol, not a bug.

The protocol abuse, not exploitation, framing:
The exam source material specifically says amplification attacks use "protocols with little (if any) authentication or checks" β€” NTP, DNS, ICMP. The attack abuses these protocols' legitimate behavior (large responses to small queries, no source verification) rather than exploiting a defect in them.

Exam tip: DNS amplification β‰  DNS vulnerability. The correct framing is that open DNS resolvers are abused as amplifiers by exploiting the protocol's normal response behavior and the lack of source IP authentication in IP. Patching DNS software does not stop the attack β€” closing open resolvers and implementing BCP38 does.
Performance Task: You are a senior network security engineer at a mid-size e-commerce company. Your site processes about 50,000 orders per day and runs on infrastructure hosted at a single data center with a 10 Gbps internet connection. The security team has just detected the beginning of what appears to be a DNS amplification DDoS attack β€” inbound traffic has spiked from a normal 200 Mbps baseline to 8.5 Gbps in the last ten minutes, and the traffic analysis shows it is all DNS response packets from hundreds of different DNS server IP addresses worldwide. The site is starting to slow significantly. Describe your immediate response, your investigation steps to confirm the attack type, your short-term mitigation options given that you have no pre-existing DDoS mitigation service contract, and the long-term controls you would recommend implementing before this happens again.
Model Answer:

Immediate Response (First 15 minutes):
(1) Declare the incident and activate the response team β€” this is a P1 event. Alert management, the on-call team, and any relevant stakeholders. DoS events have direct business impact (order processing failing). (2) Contact your upstream ISP immediately β€” even without a DDoS mitigation service, your ISP may have upstream filtering capabilities they can apply. Ask them to rate-limit or null-route attack traffic upstream of your connection. This is your fastest available relief. (3) Apply rate limiting at your edge router or firewall β€” configure rate limiting on DNS response traffic (UDP port 53, inbound, from external IPs). This will drop some attack traffic before it reaches your application servers. It will also drop some legitimate DNS traffic β€” acceptable in an emergency to keep the site partially operational. (4) Communicate with customers β€” if the site is degraded, put up a status page update. Do not let users discover the outage without acknowledgment.

Investigation β€” Confirm the Attack Type:
(1) Confirm it is DNS amplification: verify that the traffic is all inbound UDP packets on port 53 (DNS response port) from many different source IPs. DNS amplification produces responses, not queries β€” if you are seeing DNS responses you did not request, the attack is confirmed. (2) Check for IP spoofing indicators: can you verify in your flow data that these DNS responses correlate to outgoing DNS queries from your servers? If your servers are not generating the queries, the responses are unsolicited and the source IPs on the original queries were spoofed to your address. (3) Look for a secondary attack: with your team fully engaged on the DDoS, check whether any other anomalous activity is occurring simultaneously β€” DNS record changes, authentication events, data access spikes. A DDoS used as a smokescreen is a real scenario. Assign one analyst specifically to watch for secondary indicators rather than having everyone focused on the traffic flood. (4) Estimate time to saturation: at 8.5 Gbps with a 10 Gbps link, you are 85% utilized and degrading. Estimate how long before full saturation and total site failure β€” this determines urgency of escalation.

Short-Term Mitigation (No Pre-Existing DDoS Service):
(1) Emergency DDoS mitigation onboarding β€” major DDoS mitigation providers (Cloudflare, Akamai, AWS Shield Advanced) offer emergency onboarding. This typically involves routing your traffic through their scrubbing infrastructure via BGP or DNS changes. Time to activate: minutes to hours depending on the provider. This is your most important short-term action. (2) DNS-based mitigation: if your domain is managed in a DNS platform that has DDoS protection (e.g., Cloudflare Proxy), point your domain to their infrastructure. Anycast routing distributes the incoming traffic across their global PoPs, each absorbing a fraction of the volume. (3) Null-route the target IP temporarily: if the attack is targeting one specific IP (your public-facing IP), and you have a secondary IP or can redirect traffic, null-routing the targeted IP stops the flood from consuming your connection while you reconfigure. Temporary service disruption, but controlled rather than total degradation. (4) Geo-filtering as a temporary measure: if your business is primarily domestic (e.g., US-only e-commerce), temporarily block all traffic from regions you do not serve. This will block many botnet IPs concentrated in certain regions while allowing domestic traffic through. Blunt instrument β€” not a real solution β€” but may provide temporary relief.

Long-Term Controls to Prevent Recurrence:
(1) Contract with a DDoS mitigation provider before the next attack β€” the lesson of this incident is that emergency onboarding under fire costs time. A pre-existing contract with Cloudflare, Akamai, or similar means the mitigation is always-on or instantly activatable. This is the most important recommendation. (2) Multi-homed internet connectivity: a single 10 Gbps connection is a single point of failure. Two 10 Gbps connections with different ISPs allows continued operations at reduced capacity if one is being attacked, and gives you two upstream ISP relationships for filtering assistance. (3) Ensure no open DNS resolvers on your infrastructure: while your organization is being attacked as a victim in this incident, verify that your own DNS infrastructure is not configured as an open resolver that could be used to attack others β€” and close any that are found. (4) Implement BCP38 ingress filtering (if you have your own IP space): configure edge routers to drop packets from your network with source IPs that are not in your allocated range. This prevents your infrastructure from being used to amplify attacks against others. (5) DDoS response runbook: document the exact steps taken during this incident into a formal runbook β€” ISP contact numbers, escalation paths, edge router configurations for rate limiting, DDoS provider onboarding steps. The next incident should not require the team to figure out the process under pressure.