Cisco Conducting Forensic Analysis and Incident Response Using Cisco CyberOps Technologies (CBRFIR) 300-215 Question # 19 Topic 2 Discussion
300-215 Exam Topic 2 Question 19 Discussion:
Question #: 19
Topic #: 2
An engineer received a call to assist with an ongoing DDoS attack. The Apache server is being targeted, and availability is compromised. Which step should be taken to identify the origin of the threat?
A.
An engineer should check the list of usernames currently logged in by running the command$ who | cut – d’ ‘ -f1| sort | uniq
B.
An engineer should check the server’s processes by running commandsps -auxandsudo ps -a
C.
An engineer should check the services on the machine by running the commandservice -status-all
D.
An engineer should check the last hundred entries of a web server with the commandsudo tail -100 /var/log/apache2/access.log
The best immediate step during a DDoS attack against an Apache web server is to inspect theaccess logs, which will show which IP addresses are making requests, their frequency, and potential patterns of abuse. As covered in the Cisco CyberOps material, "Apache logs can reveal the IPs responsible for flooding the service with requests". The commandsudo tail -100 /var/log/apache2/access.logallows quick review of recent activity.
Contribute your Thoughts:
Chosen Answer:
This is a voting comment (?). You can switch to a simple comment. It is better to Upvote an existing comment if you don't have anything to add.
Submit