MCQs on Distributed Denial-of-Service (DDoS) attacks

Here are 10 MCQs on Distributed Denial-of-Service (DDoS) attacks with answers and detailed explanations:

1. Which of the following best differentiates a DDoS attack from a DoS attack?

a) A DDoS attack uses a single source, while a DoS attack uses multiple sources.
b) A DoS attack targets application layers, while a DDoS attack targets network layers.
c) A DDoS attack uses multiple compromised systems, while a DoS attack uses a single system.
d) A DoS attack is always more severe than a DDoS attack.

Answer: c) A DDoS attack uses multiple compromised systems, while a DoS attack uses a single system.

Explanation: The key differentiator is the “distributed” nature of DDoS attacks. DoS attacks originate from one source, making them easier to mitigate, while DDoS attacks leverage a network of compromised devices (botnets).

2. Which of the following attack vectors is characteristic of a “volumetric” DDoS attack?

a) Exploiting vulnerabilities in application code.
b) Saturating network bandwidth with high volumes of traffic.
c) Targeting specific application layer requests.
d) Corrupting data within a database.

Answer: b) Saturating network bandwidth with high volumes of traffic.

Explanation: Volumetric attacks aim to overwhelm network capacity by flooding it with traffic, such as UDP floods or ICMP floods.

3. What is the primary function of a “botnet” in a DDoS attack?

a) To provide real-time analytics of network traffic.
b) To act as a centralized command and control server.
c) To distribute malicious software to end-users.
d) To generate and send attack traffic towards the target.

Answer: d) To generate and send attack traffic towards the target.

Explanation: Botnets are networks of compromised devices (bots) controlled by an attacker. They are used to generate and launch the massive traffic required for a DDoS attack.

4. Which layer of the OSI model is primarily targeted by an “application layer” DDoS attack?

a) Physical Layer (Layer 1)
b) Network Layer (Layer 3)
c) Transport Layer (Layer 4)
d) Application Layer (Layer 7)

Answer: d) Application Layer (Layer 7)

Explanation: Application layer attacks target specific applications or services, such as web servers, by exploiting vulnerabilities or overwhelming them with requests.

5. What is the purpose of “reflection” in a DDoS attack?

a) To obscure the source of the attack by bouncing traffic off intermediary servers.
b) To amplify attack traffic by exploiting vulnerabilities in network protocols.
c) To encrypt attack traffic to evade detection.
d) To create a persistent connection between the attacker and the target.

Answer: a) To obscure the source of the attack by bouncing traffic off intermediary servers.

Explanation: Reflection attacks leverage legitimate servers or services to redirect traffic towards the target, making it difficult to trace the attack’s origin.

6. Which of the following best describes the “low and slow” DDoS attack strategy?

a) Launching a short, intense burst of traffic to overwhelm the target.
b) Sending a continuous stream of small, seemingly legitimate requests to exhaust server resources.
c) Using a combination of volumetric and application layer attacks.
d) Targeting network infrastructure devices, such as routers and switches.

Answer: b) Sending a continuous stream of small, seemingly legitimate requests to exhaust server resources.

Explanation: “Low and slow” attacks are designed to be difficult to detect because they mimic normal traffic patterns, gradually depleting server resources.

7. What is the role of a “content delivery network (CDN)” in mitigating DDoS attacks?

a) To block all incoming traffic to the origin server.
b) To distribute traffic across multiple servers, absorbing attack traffic.
c) To encrypt all communication between the client and the server.
d) To provide real-time intrusion detection and prevention.

Answer: b) To distribute traffic across multiple servers, absorbing attack traffic.

Explanation: CDNs distribute content across a network of servers, allowing them to absorb and distribute attack traffic, preventing it from overwhelming the origin server.

8. Which protocol is commonly exploited in “DNS amplification” DDoS attacks?

a) TCP (Transmission Control Protocol)
b) UDP (User Datagram Protocol)
c) HTTP (Hypertext Transfer Protocol)
d) ICMP (Internet Control Message Protocol)

Answer: b) UDP (User Datagram Protocol)

Explanation: DNS amplification attacks leverage the connectionless nature of UDP and the large response sizes of DNS queries to generate massive amounts of traffic.

9. What is the primary objective of “SYN flood” DDoS attacks?

a) To exploit vulnerabilities in application code.
b) To overwhelm the target server with incomplete TCP connection requests.
c) To saturate network bandwidth with ICMP packets.
d) To corrupt data within a database.

Answer: b) To overwhelm the target server with incomplete TCP connection requests.

Explanation: SYN flood attacks exploit the TCP three-way handshake by sending a flood of SYN packets without completing the connection, exhausting server resources.

10. Which of the following is a key mitigation strategy for application layer DDoS attacks?

a) Implementing rate limiting and traffic filtering based on application behavior.
b) Increasing network bandwidth to absorb attack traffic.
c) Deploying firewalls to block all incoming traffic.
d) Using intrusion detection systems to identify malicious IP addresses.

Answer: a) Implementing rate limiting and traffic filtering based on application behavior.

Explanation: Application layer attacks require specific mitigation techniques, such as rate limiting and traffic filtering based on application-specific patterns, to differentiate legitimate requests from malicious ones.