ECCouncil Updated 312-50v13 Exam Questions and Answers by kamari

CEH materials describe RDDoS (Ransom DDoS) attacks as threat-driven extortion campaigns where attackers demand payment and demonstrate capability by launching a short-lived DDoS burst. The purpose is to intimidate the victim into paying before a larger, sustained attack begins. The attack described uses HTTP floods with incomplete POST requests—an application-layer DDoS technique that consumes server resources by forcing the target to hold open connections. This kind of demonstration followed by an extortion email aligns precisely with RDDoS behavior. DRDoS attacks involve reflection/amplification through third-party servers, which is not occurring here. Pulse wave attacks use timed bursts and do not involve extortion, while recursive GET floods do not match the incomplete POST behavior. Therefore, the correct classification is RDDoS.

This scenario clearly aligns with a Pulse Wave DDoS attack, a sophisticated denial-of-service technique described in CEH v13 Network and Perimeter Hacking. Unlike traditional volumetric DDoS attacks that rely on sustained flooding, pulse wave attacks deliver short, extremely high-volume bursts of traffic, followed by periods of inactivity.

The defining characteristics described—intermittent spikes exceeding 300 Gbps, regular intervals (every 10 minutes), and temporary recovery—are hallmark indicators of pulse wave attacks. CEH v13 explains that attackers use this method to overwhelm server resources, trigger auto-scaling failures, exhaust mitigation thresholds, and evade detection systems that rely on sustained traffic baselines.

Option A is incorrect because UDP floods are continuous. Option B (HTTP GET flood) targets the application layer with sustained requests. Option C (PDoS) permanently damages hardware, which does not match the recurring pattern.

Pulse wave attacks are particularly effective against large platforms like streaming services because they:

Exploit elasticity limits of cloud infrastructure

Confuse rate-based detection systems

Cause repeated service degradation without long attack durations

CEH v13 emphasizes that pulse wave attacks are difficult to mitigate without adaptive, behavior-based DDoS protection. Therefore, Option D is the correct and CEH-aligned answer.

When a switch's ARP cache is flooded using a tool like Macof (from the Dsniff suite), it overwhelms the device's MAC address table, which stores port-to-MAC mappings.

If the table overflows:

The switch can no longer associate MAC addresses with specific ports.

It fails open and begins forwarding frames out all ports — just like a hub.

This degrades the switch’s functionality and allows attackers to sniff traffic on segments that should otherwise be isolated.

From CEH v13 Courseware:

Module 8: Sniffing → Switch-based Attacks

The security strategy that you would likely suggest is to adopt a Continual/Adaptive Security Strategy involving ongoing prediction, prevention, detection, and response actions to ensure comprehensive computer network defense. This strategy is based on the concept of continuous monitoring and improvement of the security posture of an organization, using a feedback loop that integrates various security activities and technologies. A Continual/Adaptive Security Strategy aims to proactively identify and mitigate emerging threats, vulnerabilities, and risks, as well as to respond effectively and efficiently to security incidents and breaches. A Continual/Adaptive Security Strategy can help enhance the organization’s security stance by providing the following benefits12:

It can reduce the attack surface and the exposure time of the organization’s network infrastructure, by applying timely patches, updates, and configurations, as well as by implementing security controls and policies.

It can increase the visibility and awareness of the organization’s network activity and behavior, by collecting, analyzing, and correlating data from various sources, such as logs, sensors, alerts, and reports.

It can improve the detection and prevention capabilities of the organization, by using advanced tools and techniques, such as artificial intelligence, machine learning, threat intelligence, and behavioral analytics, to identify and block malicious or anomalous patterns and indicators.

It can enhance the response and recovery processes of the organization, by using automated and orchestrated actions, such as isolation, quarantine, remediation, and restoration, to contain and resolve security incidents and breaches, as well as by conducting lessons learned and root cause analysis to prevent recurrence.

The other options are not as appropriate as option C for the following reasons:

A. Develop an in-depth Risk Management process, involving identification, assessment, treatment, tracking, and review of risks to control the potential effects on the organization: This option is not sufficient because risk management is only one aspect of a comprehensive security strategy, and it does not address the dynamic and evolving nature of cyber threats and vulnerabilities. Risk management is a process of identifying, analyzing, evaluating, and treating the risks that may affect the organization’s objectives and operations, as well as monitoring and reviewing the effectiveness of the risk treatment measures3. Risk management can help the organization prioritize and allocate resources for security, but it cannot guarantee the prevention or detection of security incidents and breaches, nor the response and recovery from them.

B. Establish a Defense-in-Depth strategy, incorporating multiple layers of security measures to increase the complexity and decrease the likelihood of a successful attack: This option is not optimal because defense-in-depth is a traditional and static approach to security, and it may not be able to cope with the sophisticated and persistent attacks that exploit unknown or zero-day vulnerabilities. Defense-in-depth is a strategy of implementing multiple and diverse security controls and mechanisms at different layers of the organization’s network infrastructure, such as perimeter, network, endpoint, application, and data, to provide redundancy and resilience against attacks4. Defense-in-depth can help the organization protect its assets and systems from unauthorized access or damage, but it cannot ensure the timely detection and response to security incidents and breaches, nor the continuous improvement of the security posture.

D. Implement an Information Assurance (IA) policy focusing on ensuring the integrity, availability, confidentiality, and authenticity of information systems: This option is not comprehensive because information assurance is a subset of cybersecurity, and it does not cover all the aspects of a holistic security strategy. Information assurance is a discipline of managing the risks associated with the use, processing, storage, and transmission of information and data, and ensuring the protection of the information and data from unauthorized access, use, disclosure, modification, or destruction5. Information assurance can help the organization safeguard its information and data from compromise or loss, but it does not address the prevention, detection, and response to security incidents and breaches, nor the adaptation and innovation of the security technologies and processes.