CEH v13 312-50v13 Passing Score

The capability described is Kubernetes self-healing, a core behavior emphasized in CEH cloud and container security coverage when discussing resilience, availability, and fault tolerance in containerized environments. Self-healing means Kubernetes continuously monitors the desired state of workloads and automatically acts when the current state deviates due to failures. If a node crashes, a container exits unexpectedly, or a pod becomes unhealthy, Kubernetes responds by restarting containers, recreating pods, and rescheduling workloads onto healthy nodes to maintain service continuity. This directly matches the scenario where containers are “automatically replaced and rescheduled” from failed nodes to keep payment services highly available.

While several Kubernetes components participate in achieving this outcome, the feature name most aligned with the described behavior is self-healing. Kubernetes uses controllers and the scheduler to implement it: deployments and replica sets ensure the correct number of pod replicas exist; liveness and readiness probes detect unhealthy containers; and when nodes become NotReady, pods are evicted and recreated elsewhere. This is exactly how Kubernetes supports uninterrupted operations for critical applications such as payment processing platforms.

Option B, kube-controller-manager, is a control-plane component that runs multiple controllers, and it contributes to enforcing desired state, but the question asks for the feature capability rather than the specific internal process that provides it. Option C, container orchestration, is broader and includes deployment, scaling, and management, but it is less precise than self-healing for the specific behavior of automatic replacement and rescheduling after failures. Option A is unrelated to availability behavior.

Padding oracle attacks exploit systems that reveal differences in error responses when incorrectly padded ciphertext is submitted. CEH explains that these variations allow attackers to iteratively determine valid padding bytes and ultimately decrypt or modify encrypted data without knowledge of the key.

The CEH Web Application Hacking module identifies Session Fixation as a powerful session management attack that can bypass advanced authentication controls, including MFA.

In session fixation, the attacker forces the victim to authenticate using a session ID already known to the attacker. Once authentication completes, the attacker hijacks the valid session without needing credentials.

Option A directly targets session management logic.

Option B exploits authorization logic, not session handling.

Option C is unrelated to session management.

Option D is mitigated by encrypted cookies and HTTPS.

CEH explicitly warns that applications must regenerate session IDs after authentication.

The key indicator is that the switch’s CAM table was overwhelmed and the attacker’s machine started receiving traffic not originally destined for it. That is the hallmark of MAC flooding. Switches maintain a CAM (Content Addressable Memory) table mapping MAC addresses to switch ports. Under normal conditions, this allows a switch to forward frames only to the correct destination port (unicast switching). In a MAC flooding attack, the attacker sends a large volume of frames with many spoofed source MAC addresses, rapidly filling the CAM table. Once the table is full, the switch may fail open for unknown unicast traffic and begin broadcasting (flooding) frames out multiple ports, similar to a hub-like behavior. This causes unintended packet exposure and allows the attacker to capture traffic from other hosts, enabling sniffing of multiple sessions.

The scenario explicitly mentions switch instability, traffic leakage, receiving packets not destined for the attacker, and CAM table exhaustion—these are directly aligned with MAC flooding mechanics.

Why the other options don’t match as well:

ARP poisoning (C) is a man-in-the-middle technique that manipulates ARP caches to redirect traffic through the attacker. It does not typically overwhelm the switch’s CAM table, and the symptom is traffic redirection rather than CAM exhaustion.

VLAN hopping (B) is a VLAN segmentation bypass (e.g., switch spoofing or double-tagging) and is about crossing VLAN boundaries, not causing CAM table overflow and switch-wide flooding behavior. The mention of multiple VLANs seeing leakage could be a downstream consequence of flooding/misconfiguration, but the decisive clue is CAM table overload.

DNS poisoning (A) targets name resolution and would not produce CAM table exhaustion or switch instability.

Therefore, Sarah most likely used D. MAC Flooding.