Free Cisco 200-201 Actual Exam Questions - Question 9 Discussion
An engineer received a ticket about a slowed-down web application. The engineer runs the #netstat -
an command. How must the engineer interpret the results?
C makes sense since SYN_RECV backlog usually means a SYN flood attack underway.
Can someone confirm if SYN_RECV count is unusually high here? That’s key.
It’s C. Seeing a large number of connections stuck in SYN_RECV usually signals a SYN flood attack, which is a classic DoS method. Legitimate traffic wouldn’t pile up so many half-open connections like that. The other options don’t really fit since a man-in-the-middle wouldn’t cause this kind of connection pattern, and just claiming more data is needed ignores the obvious SYN flood signs here.
C/B? The large number of connections stuck in SYN_RECV usually points to a SYN flood DoS attack, since legitimate traffic wouldn’t pile up there like that. But without more info—like timestamps or CPU load—it’s hard to fully rule out heavy but normal traffic causing slowdowns. Definitely not D, since man-in-the-middle won’t show this kind of connection storm in netstat. So it’s between C for the attack or B if you want to be more cautious and collect more data before jumping to conclusions.
C imo, the sheer number of connections with many in the SYN_RECV state screams SYN flood, a classic DoS attack sign. If it was legit traffic, you’d expect more varied states, not a buildup waiting to be acknowledged. A man-in-the-middle wouldn’t necessarily cause this kind of connection spike either.
C/D? The netstat output might show many connections, but is that definitely a DoS or could it be something else like a MITM risk? Need more info on the connection states.