Exam CV0-003 topic 1 question 103 discussion

of all the suggested answers C is most likely

Hard to imagine D as the answer. 72.135.10.100 is a public ip address. For D to be the correct (gateway address of 72.135.10.1) the subnet would have to be 255.255.255.0 and that makes no sense.

Denial of service attack. Since the attacker's public IP is taking up all the available network sockets (not all shown), legitimate customers are unable to connect. Block this with the firewall (WAF). Port 0 will show up if there’s fragmented IP traffic, like a DNS response which exceeds the historic maximum size of 512 bytes.

Im going with C

i dont see why D would be the correct choice, NETSTAT "TIME_WAIT" indicates normal traffic and waiting for any more packets after the syn/ack/syn, so there must be connections to the webserver from client machines. It seems like these answer choices are not related to the actual problem. BUT.....if i had to choose one, maybe the number of connections coming from a single IP could be signs of a resource exhaustion attack. In theory, if an attacker was hitting the server hard, it could cause an apache/IIS server to crash thus resulting in a "service not available". I wish there was another choice pointing to the listening port needing to be reconfigured.

Period.....

I'm looking at C pretty hard here, possible attack?

This is one of those "Best Answer" scenarios; there is no "Good" answer. A, B, and C can be eliminated leaving D as the best answer even though D isn't a clear answer with the information provided. A - private IP on a public web server, NO. B - using only UDP, NO. C - block the user with issues vs resolving the issues, NO.

sometimes, WAF will filter out the SYNC packet during the TCP handshake. C may be the answer.

None of these makes sense. The rightmost IP address should be the foreign address, not the public IP of the server. Who made this?

TCP TIME_WAIT is a normal TCP protocol operation, it means after delivering the last FIN-ACK, client side will wait for double maximum segment life (MSL) Time to pass to be sure the remote TCP received the acknowledgement of its connection termination request. By default, MSL is 2 minutes. For the maximum, it can stay in TIME_WAIT for 4 minutes known as two MSL From Network perspective, TCP TIME_WAIT status is just a normal behavior that after closing the session, TCP stack will hold the high port for little more time to ensure the other side receive the last FIN-ACK packet and no more data will be received in this conversation. TIME_WAIT is not the problem. I would suggest you focus on RPC error for this issue. https://docs.microsoft.com/en-us/answers/questions/230227/time-wait-from-netstat.html

Can someone explain why it is D?