PDF 312-50v13 Study Guide

Comprehensive and Detailed Explanation:

Tshark is the command-line version of Wireshark. The correct syntax for filtering packets from a subnet:

sudo tshark -f "net 192.168.8.0/24"

This captures only the traffic from that IP range. It’s ideal for cron jobs and automated monitoring.

From CEH v13 Courseware:

Module 8: Sniffing → Tshark and Wireshark Usage

Dynamic ARP inspection (DAI) protects switching devices against Address Resolution Protocol (ARP) packet spoofing (also known as ARP poisoning or ARP cache poisoning).

DAI inspects ARPs on the LAN and uses the information in the DHCP snooping database on the switch to validate ARP packets and to protect against ARP spoofing. ARP requests and replies are compared against entries in the DHCP snooping database, and filtering decisions are made based on the results of those comparisons. When an attacker tries to use a forged ARP packet to spoof an address, the switch compares the address with entries in the database. If the media access control (MAC) address or IP address in the ARP packet does not match a valid entry in the DHCP snooping database, the packet is dropped.

CEH emphasizes that application-layer DoS attacks are often the most difficult to detect and mitigate because they can mimic legitimate user behavior while exhausting backend resources. A distributed SQL injection–driven DoS (Option B) can be especially challenging: attackers send requests that appear valid at the HTTP level, but the injected or crafted parameters force the application/database to execute expensive queries (heavy joins, sleep/delay functions, or costly operations). When distributed across many sources, the traffic can look like normal customer usage—successful TCP handshakes, valid HTTP requests, and realistic user-agent patterns—while still causing database connection pool exhaustion, CPU spikes, lock contention, and degraded response times.

Option A (Smurf) and Option D (UDP/DNS flooding) are more volumetric/network-layer patterns and are typically mitigated with upstream DDoS scrubbing, rate limiting, and filtering, and are more readily detectable via traffic anomalies. Option C (zero-day RCE) is severe, but it is not primarily a “DoS technique” in CEH classification; it’s an exploitation scenario that may lead to service outage, but the detection/mitigation path centers on exploit prevention, EDR, patching, and containment rather than DoS controls. In CEH terms, Option B aligns best with a sophisticated, scenario-like DoS that blends into normal app activity.

CEH mitigation approaches for application-layer DoS include WAF rules, input validation/parameterization (preventing SQLi), query cost controls, rate limiting by behavior, caching, database hardening, and anomaly detection at the application and database tiers.

A digital signature is a mathematical technique used to validate the authenticity and integrity of a message, software, or digital document. It's the digital equivalent of a handwritten signature or stamped seal, but it offers far more inherent security. A digital signature is intended to solve the problem of tampering and impersonation in digital communications.

Digital signatures can provide evidence of origin, identity, and status of electronic documents, transactions, or digital messages. Signers can also use them to acknowledge informed consent.

Digital signatures are based on public-key cryptography, also known as asymmetric cryptography. Two keys are generated using a public key algorithm, such as RSA (Rivest-Shamir-Adleman), creating a mathematically linked pair of keys, one private and one public.

Digital signatures work through public-key cryptography's two mutually authenticating cryptographic keys. The individual who creates the digital signature uses a private key to encrypt signature-related data, while the only way to decrypt that data is with the signer's public key.