Exam CS0-003 topic 1 question 11 discussion

In the case of an internet outage caused by a Distributed Denial of Service (DDoS) attack that is preventing users from accessing external SaaS resources, the incident response team should review the DNS (Domain Name System) logs first. C. DNS Explanation: DNS Logs: DDoS attacks often involve overwhelming the DNS infrastructure to disrupt normal internet services. By reviewing DNS logs, the incident response team can identify abnormal traffic patterns, unusual queries, and potential signs of a DDoS attack targeting the organization's DNS servers. Analyzing DNS logs can help pinpoint the attack source, the type of attack, and the affected domains.

Really tricky one, think it just clicked for me. Let me explain how I see it. Problem is with external SaaS resources (example O365) that your users cannot access from anywhere in the world (multiple locations). The organization affected was not your own, but Microsoft in this example. It will not be your Web Server, CDN or Vulnerability scanner that will show anything as this was not on your network and you were not the target. Then also take not that many DDoS attacks bring targets down by stopping DNS replication of their services. Your DNS servers will thus show they were not able to find any related DNS records for the O365 resources and thus not able to provide any DNS query responses to the client devices. (This all after the DNS record TTL expired and the records needed to be updated). So in my opinion, DNS is the only place that will reflect any of this.

C. DNS is often targeted in DDOS attacks.

DNS does not use CDN, CDN uses DNS. Thus, DNS is the most correct answer.

Nothing in the question says the type of ddos. Go to the source of the outage first, Web server logs. Then work backwards towards the users.

DDoS attacks target the Domain Name System infrastructure

Lots of people giving compelling reasons for CDN here. I'd like to make the caveat that nowhere in the CompTIA CySA+ book is CDN ever mentioned so it's most likely DNS.

If I set all the devices on my network to use my internal DNS server, I will be able to access my local resources by name, as well as the internet. However, if my internal DNS server goes down (Dd DDos attack), my devices will not be able to resolve any domain names, neither local nor external. This means that I will not be able to access any websites or services by name, only by IP address.

A: CDN Reviewing DNS (Domain Name System) logs is indeed an important aspect of investigating a DDoS attack, but in the context of an internet outage affecting the ability to access external SaaS resources, CDN logs would typically be more directly relevant. While DNS logs are important, CDN logs are likely to provide more directly relevant information about the ongoing DDoS attack and its impact on accessing external SaaS resources during an internet outage.

CDN (Content Delivery Network) logs may also be useful in understanding traffic patterns, but DNS logs are generally more directly relevant in the early stages of investigating a DDoS attack.

Most DDoS attacks are in DNS logs

A. CDN (Content Delivery Network): CDNs are often used to mitigate the effects of DDoS attacks by distributing traffic across multiple servers. CDN logs can provide immediate insights into the nature and scale of the attack, including source IP addresses, types of requests, and geographic origins.

3. **Verificador de Vulnerabilidade e Servidor Web**: Embora esses elementos sejam importantes em uma investigação de incidente de segurança, eles normalmente não fornecerão informações imediatas sobre um ataque DDoS em andamento. O verificador de vulnerabilidades e o servidor web podem ser relevantes para determinar se o ataque DDoS causou outras vulnerabilidades ou danos, mas não são a primeira linha de investigação para identificar e mitigar um ataque DDoS. Portanto, a revisão dos registros DNS é a melhor opção inicial para entender e lidar com um ataque DDoS que está afetando o acesso aos recursos SaaS externos da organização.

Web server is the answer. What is DNS have to do with it, afterall--------we are not querying IP address or translating