New Year Sale 2026! Hurry Up, Grab the Special Discount - Save 25% - Ends In 00:00:00 Coupon code: SAVE25
Welcome to Pass4Success

- Free Preparation Discussions
Mail Us support@pass4success.com
Location US
Mob_nav_barsMENU

GIAC GCED Exam - Topic 3 Question 31 Discussion

Actual exam question for GIAC's GCED exam
Question #: 31
Topic #: 3
[All GCED Questions]

A compromised router is reconfigured by an attacker to redirect SMTP email traffic to the attacker's server before sending packets on to their intended destinations. Which IP header value would help expose anomalies in the path outbound SMTP/Port 25 traffic takes compared to outbound packets sent to other ports?

Show Suggested Answer Hide Answer
Suggested Answer: C

In a case study of a redirect tunnel set up on a router, some anomalies were noticed while watching network traffic with the TCPdump packet sniffer.

Packets going to port 25 (Simple Mail Transfer Protocol [SMTP] used by mail servers and other Mail Transfer Agents [MTAs] to send and receive e-mail) were apparently taking a different network path. The TLs were consistently three less than other destination ports, indicating another three network hops were taken.

Other IP header values listed, such as fragment offset. The acknowledgement number is a TCP, not IP, header field.


by Helene at Dec 24, 2023, 06:10 AM

Limited Time Offer

25%

Off

Get Premium GCED Questions as Interactive Web-Based Practice Test or PDF

Contribute your Thoughts:

0/2000 characters
Submit Cancel
Verona
3 months ago
Wait, I didn’t know TTL could be used like that!
upvoted 0 times
...
Juliana
3 months ago
Acknowledgement number might not help with this specific issue.
upvoted 0 times
...
Hyun
4 months ago
Not so sure about that, isn’t the checksum more relevant?
upvoted 0 times
...
Svetlana
4 months ago
Totally agree, TTL can reveal path changes!
upvoted 0 times
...
Celestina
4 months ago
I think the Time to live value would show differences in routing.
upvoted 0 times
...
Dorthy
4 months ago
Fragment offset seems less relevant to this scenario. I lean towards TTL since it can indicate if the packet is taking an unusual route.
upvoted 0 times
...
Cassi
4 months ago
I practiced a question similar to this, and I feel like the Acknowledgement number might not be the right choice since it’s more about confirming receipt rather than path anomalies.
upvoted 0 times
...
Jennifer
4 months ago
I'm not entirely sure, but I remember something about the checksum being important for integrity. Could it help identify anomalies?
upvoted 0 times
...
Marget
5 months ago
I think the Time to Live (TTL) value could be useful here since it changes as packets traverse different routers, right?
upvoted 0 times
...
Madonna
5 months ago
I'm leaning towards the time to live (TTL) value. That's often a good way to detect if traffic is being routed through an unexpected path. I'll focus on that as my primary strategy for this question.
upvoted 0 times
...
Ashton
5 months ago
The fragment offset seems like an interesting option. If the attacker is reconfiguring the router, that could potentially impact how the packets are fragmented. I'll have to think about that one a bit more.
upvoted 0 times
...
Terrilyn
5 months ago
This seems like a tricky one, but I think the key is to look for any differences in the IP header values between the SMTP/Port 25 traffic and other outbound traffic. The time to live (TTL) value could be a good indicator of anomalies in the path.
upvoted 0 times
...
Talia
5 months ago
Hmm, I'm not sure about this one. The checksum might be a good place to start, since that could potentially change if the traffic is being redirected. But I'm not totally confident that's the right answer.
upvoted 0 times
...
Kiera
5 months ago
This looks like a tricky one. I'll need to carefully consider the different log sources and think about which one would provide the most relevant information for troubleshooting the password rotation issue.
upvoted 0 times
...
Lelia
5 months ago
Behavior-based protection sounds like it could be related to endpoint security, so I'll try Cortex XDR.
upvoted 0 times
...

Save Cancel