ECCouncil 312-50v13 Dumps Questions Answers

CEH defines botnets as networks of compromised machines controlled remotely to perform coordinated activities such as DDoS attacks, spam campaigns, and credential theft. Systems showing outbound connections to unknown IPs and participating in mass spam dissemination are characteristic indicators of botnet infection.

The behavior described most closely matches an insider attack, because the actor is a temporary contractor who has physical proximity and implicit access to internal areas where employees work and handle sensitive information. In CEH guidance, an “insider” is not limited to permanent employees; it includes contractors, vendors, interns, and any trusted or semi-trusted individuals who can enter facilities or access internal environments. The attack combines two common insider-facilitated techniques: shoulder surfing and dumpster diving. Recording employees entering passwords is a form of shoulder surfing, where credentials are harvested by observing or capturing authentication entry through direct viewing or recording devices. Finding sensitive documents in a trash bin indicates dumpster diving, where attackers recover confidential information from improperly disposed materials.

These actions are typically feasible because the attacker is already inside the perimeter and can exploit weak operational security practices, such as lack of clean-desk enforcement, inadequate shredding policies, and insufficient physical monitoring of visitor or contractor activity. CEH materials emphasize that insider threats are particularly dangerous because they bypass many external perimeter controls and can blend into normal workplace behavior.

The other options do not fit. A distribution attack generally refers to compromise introduced through supply chain or third-party distribution channels, not on-site observation and trash retrieval. A passive attack is too generic and does not capture the key element of an authorized or trusted presence enabling the compromise. “Cisco-in attack” is not a standard CEH attack category for this scenario. Therefore, the most accurate classification is an insider attack.

The symptoms point to a rogue DHCP scenario, which CEH materials commonly describe as a method attackers use to disrupt networks or perform man-in-the-middle attacks. If an unauthorized device begins answering DHCP requests faster than the legitimate DHCP server, endpoints may receive incorrect IP settings such as a fake default gateway or DNS server. This causes loss of connectivity to internal applications like a CRM system and can silently redirect traffic through an attacker-controlled host. The question explicitly mentions “irregular IP assignment attempts” tied to an unfamiliar device, which aligns strongly with rogue DHCP behavior rather than ARP-only manipulation or simple MAC-limit violations.

DHCP snooping is a Layer 2 security feature on Cisco switches that filters untrusted DHCP messages and allows only authorized DHCP servers on trusted ports. When enabled for the affected VLAN, the switch will drop DHCP offers and acknowledgments arriving on untrusted access ports, stopping the rogue device from leasing addresses. Option A, ip dhcp snooping vlan 10, is the command that applies DHCP snooping protection to the specific VLAN experiencing the issue, which matches the “subnet logs” and the localized impact described.

Option B, Dynamic ARP Inspection, primarily mitigates ARP spoofing and relies on DHCP snooping bindings, but it does not directly stop rogue DHCP leasing. Option D, port security, can limit MAC addresses but does not specifically block DHCP server behavior. Option C enables the feature globally but does not target the VLAN; the VLAN-specific activation in A best matches the scenario and the immediate restoration of correct addressing and connectivity.