ECCouncil Updated 312-50v13 Exam Questions and Answers by inaaya

This scenario matches a Teardrop attack, which exploits IP fragmentation reassembly weaknesses by sending fragments with overlapping or inconsistent offset fields. In a teardrop attack, the attacker crafts IP fragments so that when the target attempts to reassemble them into the original datagram, the fragment offsets and sizes do not align correctly (often overlapping). Vulnerable systems can experience errors in the reassembly process, leading to CPU/memory exhaustion, crashes, or instability in the network stack. The question highlights “manipulated offset fields and overlapping payload offsets,” “repeated attempts to reconstruct,” and “deliberately malformed offsets that trigger processing errors rather than a simple flood,” which are all core teardrop characteristics.

The impact described—system crashes and service disruption without abnormal bandwidth usage—also fits. This is not a volumetric DoS (like ICMP flood); it’s a malformed-packet attack that targets protocol stack processing. The key is that the attacker is exploiting how the target handles fragmented packets, causing excessive processing and failure during reassembly.

Why the other options are less accurate:

Fragmentation attack (A) is a broader category and could include many fragmentation-based manipulations, but “overlapping offsets causing reassembly failure” is the classic teardrop pattern.

ICMP flood (B) is bandwidth/packet-rate driven and does not involve IP fragment offset manipulation.

Ping of Death (D) involves oversized ICMP packets (often via fragmentation) exceeding maximum IP size, causing crashes on vulnerable stacks; the scenario instead emphasizes overlapping offsets and reassembly logic errors rather than oversized packet size.

Therefore, Sofia is most likely simulating C. Teardrop Attack.

The defense described—keeping user inputs separate from the SQL statement and binding them as fixed values before execution—is the defining characteristic of parameterized queries (prepared statements). This is one of the most effective and widely recommended countermeasures against SQL injection because it prevents attacker input from being interpreted as SQL code.

In a vulnerable application, developers often build SQL statements by concatenating strings, such as " SELECT ... WHERE user= ' " + input + " ' " . In that pattern, malicious payloads can alter the query structure (adding conditions, UNIONs, comments, or stacked queries). With prepared statements, the SQL engine receives the query structure first (the template), and then receives the parameter values separately. The database treats the parameters strictly as data, not executable SQL. As a result, even if an attacker submits quotes, keywords, or operators, those characters remain part of the parameter value and cannot change the query’s logic.

The scenario specifically says inputs are “bound as fixed values,” which is direct language associated with parameter binding. That makes option D the best answer.

Why the other options are less accurate:

User input validation (A) is helpful but can be bypassed and is not as robust as parameterization; also the described mechanism is not validation but binding separation.

Restrict database access (B) is a defense-in-depth measure (least privilege) that reduces impact, but it does not inherently stop injection from occurring.

Encoding the single quote (C) is a legacy/insufficient approach; encoding or escaping can be error-prone and DBMS-specific, and it does not match the description of parameters being bound separately.

Therefore, the application is using D. Use parameterized queries or prepared statements.

The symptoms point directly to a Slowloris attack, which CEH materials classify as an application-layer denial-of-service technique that targets web servers by exhausting their available concurrent connection slots rather than saturating bandwidth. In a Slowloris attack, the attacker opens many HTTP or HTTPS connections to the server and then keeps them alive as long as possible by sending partial, incomplete HTTP requests or very slow header transmissions at timed intervals. Because the requests are never fully completed, the server keeps the connections open, waiting for the remainder of the request. Over time, the server’s maximum connection limit is consumed, and legitimate users cannot establish new sessions, even though overall network traffic may remain relatively low.

That exact pattern is described in the scenario: the server is “struggling to accept new connections,” the “maximum connection limit is nearly reached,” and there is “no significant spike in overall network traffic.” This is a classic indicator of low-and-slow DoS behavior, which can be harder to detect because it does not resemble a high-volume flood.

A SYN Flood attack can also exhaust connection resources, but it typically creates a large number of half-open TCP connections and is usually more apparent in network-level telemetry and SYN backlog behavior. A UDP Flood generally causes a noticeable traffic spike. “Peer-to-Peer Attack” describes a botnet architecture style, not the specific technique used here. Therefore, the attack being simulated is Slowloris.

The CEH DDoS Mitigation Strategies section explains that load balancing distributes traffic across multiple servers or infrastructure components to prevent any single resource from being overwhelmed.

By using hardware load balancers and cloud-based traffic distribution, organizations can:

Absorb large volumes of attack traffic

Maintain service availability

Ensure legitimate users are served

Option B is correct and directly matches CEH’s definition.

Option A drops all traffic, including legitimate requests.

Option C focuses on traffic analysis rather than distribution.

Option D limits traffic rather than distributing it.

CEH strongly recommends load balancing as a core DDoS resilience mechanism.