Free Cisco 400-007 Actual Exam Questions - Question 15 Discussion
plan to prevent infected devices on your network from sourcing random DDoS attacks using forged
source address?
C imo. Strict mode forces the router to verify that the source IP is reachable via the interface it came in on, which really cuts down on spoofed addresses. Loose mode (B) lets packets through as long as the source IP exists somewhere in the routing table, so it’s less strict against spoofing. Since the question is about stopping forged source addresses in DDoS attacks, strict mode fits better if your network routing allows it without dropping legit traffic. A and D don’t directly address source IP validation, so they’re less relevant here.
Actually, D doesn’t make sense since filtering by destination won’t stop spoofed source addresses causing DDoS. A is too broad and not specific to source spoofing prevention. Between B and C, strict mode (C) enforces that packets must come from the expected interface based on routing, which is the best way to block spoofed sources if your network routes are stable. Loose mode (B) lets some spoofed traffic through if routes are asymmetric, so it’s less reliable. So C is the most solid choice if you want to really prevent source address forgery.
C/B split, but C is more foolproof if routing is stable and symmetric.
B imo, unicast RPF loose mode still checks if the source IP is reachable via the routing table, so it can catch a lot of spoofed addresses without breaking asymmetric routing setups. Strict mode (C) might be too rigid and lead to false drops if your network isn’t perfectly symmetrical. Also, ACL forwarding (A) can block known bad IPs but won’t dynamically stop spoofed traffic like RPF. D is definitely off since filtering by destination doesn’t address source spoofing at all. So loose mode is a safer, more flexible way to reduce forged source attacks in most real-world networks.
A imo, ACL based forwarding can block traffic from suspicious sources before it enters or leaves the network, which helps stop devices with spoofed IPs in their packets.
D won’t help because filtering by destination doesn’t stop spoofed source IPs.
It’s C because strict mode actually forces incoming packets to match the expected interface, which is the best way to block forged source addresses in DDoS attacks. Loose mode’s too lenient for this purpose.
Option B makes good sense since unicast RPF in loose mode verifies if the source IP is reachable anywhere in the routing table, which helps catch spoofed addresses without being as restrictive as strict mode. This means it can still prevent DDoS attacks from forged sources while accommodating asymmetric routing, which is common in many networks. ACLs filtering by destination or forwarding (A and D) won’t really help with source spoofing, so those are less relevant here. Loose mode seems like the balanced choice to me if you want security without risking dropping legitimate traffic due to path
B/C? I get the point about strict mode (C) being tighter, but if the network has any asymmetric routing, strict mode can block legit traffic, which is risky. Loose mode (B) checks if the source IP is reachable via any interface, which still stops spoofed addresses without the strict interface match. ACLs (A/D) are too static and might not cover all spoofed cases effectively. So between B and C, I’d pick B for a safer balance in real networks that might not have perfect routing symmetry.
Maybe C makes more sense here because strict mode RPF denies packets if the source address doesn’t match the incoming interface, which directly stops spoofed sources often used in DDoS attacks.
A imo, ACL based forwarding can help block traffic with spoofed source IPs by explicitly denying invalid sources. It’s a straightforward approach alongside RPF checks.
B. Loose mode (B) is often the safer bet for preventing spoofed source addresses without risking legitimate traffic drops in complex networks with asymmetric routing. Strict mode (C) can block spoofed packets but might be too aggressive if routes aren’t symmetrical, causing false positives. Since the question doesn’t specify network topology, loose mode provides a balance of security and flexibility. ACLs (A and D) alone won’t effectively prevent forged source addresses since they typically filter based on destination or general forwarding rules, not source validation like uRPF does.
B, loose mode is more flexible and still helps catch spoofed addresses without breaking asymmetric routes.
C only, strict mode blocks spoofed IPs effectively.