CSA (312-39) SOC Simulation Lab

Welcome to the SOC. In this scenario, you will apply network defense concepts to mitigate an active volumetric attack. Your objective is to understand how edge controls impact threat visibility and response capabilities.

Scenario Context

Your organization is currently experiencing a 50Gbps TCP SYN Flood targeting the external customer portal. A Tier 2 analyst escalated the ticket because they are unable to identify the source of the botnet to apply targeted Access Control Lists (ACLs).

You review the router configurations and traffic patterns to determine why the SOC lacks visibility into the true origin of the malicious traffic.

Security Environment

You pull NetFlow logs from the core edge router and observe the anomalous inbound traffic:

[NETFLOW ALERT - EDGE ROUTER 01] Attack Type: TCP SYN Flood Interface: GigabitEthernet0/0/0 (WAN Edge - Inbound) Destination: 198.51.100.45 (Customer Web Portal) [TOP INBOUND SOURCE IPs OBSERVED] - 198.51.100.22 (Wait, this is our own subnet!) - 10.0.0.5 (RFC1918 Private IP - Should not be on WAN) - 169.254.1.1 (APIPA Address space) - 203.0.113.99 (Valid external IP) [L2 ANALYST NOTES] "The attackers are randomizing the source IPs on every packet. Because the IPs are heavily spoofed, any IP blocks we apply are useless and might drop legitimate traffic. We can't trace the actual botnet nodes."

Question

Which of the following technique protects from flooding attacks originated from the valid prefixes (IP addresses) so that they can be traced to its true source?

NOTE: It is mandatory to answer the question before proceeding to the next one.
SOC Hint: To stop spoofed IP addresses from entering your network, you need a control at the boundary that checks if incoming packets actually belong to the networks they claim to be from. Think about the direction of the traffic arriving at your perimeter.

Expert Insight

1. What is happening?

The SOC is dealing with a distributed denial-of-service (DDoS) attack utilizing IP Spoofing. The attackers are forging the source IP address in the IP header. Because the router is accepting these packets without validating them, the SOC's logs are filled with garbage IPs (including private and internal addresses). You cannot trace or block the real attackers until the spoofed traffic is dropped at the edge.

2. Why is "Ingress Filtering" the correct answer?

Ingress Filtering is a network edge technique that drops incoming packets whose source IP addresses do not belong to the expected downstream network. If an ISP or enterprise implements ingress filtering (often via Unicast Reverse Path Forwarding or uRPF), packets claiming to be from "10.0.0.5" arriving on the public Internet WAN interface will be instantly dropped.

By enforcing this, attackers cannot spoof their IPs. They are forced to use their actual, allocated IP addresses. This makes the flooding attack visible, traceable, and significantly easier for the SOC and ISPs to mitigate.

3. Why are the other options incorrect?

  • Egress Filtering: Incorrect. Egress filtering stops your network from sending spoofed or unauthorized traffic out to the internet. It protects others from you, but doesn't protect you from inbound spoofed floods.
  • Rate Limiting / Throttling: Incorrect. These are volumetric controls (QoS/Policing). They cap the bandwidth of the attack, but they do nothing to validate the source IP or help you trace the attack to its true source.

4. Real-World SOC Application

When investigating a volumetric DDoS, the first thing a Tier 3 analyst checks is the validity of the source IPs. If you see Bogon space (RFC 1918) hitting your external firewall's outside interface, your edge routers are misconfigured. Ingress filtering (BCP 38) is an industry-standard best practice that every ISP and enterprise edge should have enabled. If you can't see the real IP, you can't write a reliable detection rule in your SIEM or a block rule in your WAF/Firewall.

Mini Lesson: uRPF and BCP 38

In Cisco and Juniper environments, Ingress filtering is typically handled by Unicast Reverse Path Forwarding (uRPF).

When a packet arrives, uRPF looks at the source IP and checks the routing table. If the router doesn't have a route back to that source IP out of the same interface the packet arrived on (Strict Mode), it assumes the IP is spoofed and drops the packet. This is the technical implementation of the BCP 38 standard.

Sharpen your SOC analysis skills.

Practice with more real-world threat detection scenarios.

Explore more CSA simulations