CISCO CCNA 200-301 Q137

Which two features do Cisco routers offer to mitigate distributed denial-of-service (DDoS) attacks? (Choose two.)

A. Anti-DDoS guard
B. Scatter tracing
C. Access control lists (ACLs)
D. Flow control
E. Rate limiting

Correct Answer: C, E

Cisco routers use access control lists (ACLs) and blackholing features to help mitigate distributed denial-of-service (DDoS) attacks. A DoS attack is an attack in which legitimate users are denied access to networks, systems, or resources. One of the most common DoS attacks is the DDoS attack, which is executed by using multiple hosts to flood the network or send requests to a resource. The difference between DoS and DDoS is that in a DoS attack, an attacker uses a single host to send multiple requests, whereas in DDoS attacks, multiple hosts are used to perform the same task.

Cisco routers offer the following features to mitigate DDoS attacks:

– ACLs: Filter unwanted traffic, such as traffic that spoofs company addresses or is aimed at Windows control ports. However, an ACL is not effective when network address translation (NAT) is implemented in the network.

– Rate limiting: Minimizes and controls the rate of bandwidth used by incoming traffic.
– Traffic-flow reporting: Creates a baseline for the network that is compared with the network traffic flow, helping you detect any intrusive network or host activity.

Apart from these features offered by Cisco routers, the following methods can also be used to mitigate DDoS attacks:

– Using a firewall, you can block or permit traffic entering a network.
– The systems vulnerable to attacks can be shifted to another location or a more secure LAN.
– Intrusion Detection Systems (IDS), such as Network Intrusion Detection Systems (NIDS) and Host Intrusion Detection Systems (HIDS), can be implemented to detect intrusive network or host activity such as a DoS attack, and raise alerts when any such activity is detected.

Anti-DDoS guard and scatter tracing are incorrect because these features are not offered by Cisco routers to mitigate DDoS attacks.

Flow control is incorrect because flow control is used to prevent the loss of traffic between two devices.