312-50v13 Exam Dumps - Certified Ethical Hacker Exam (CEHv13)

The IT team’s action—capping how many requests a single user can make per second and then delaying or dropping aggressive connections—is the defining behavior of rate limiting. In DDoS conditions, especially when the portal is under a surge of automated or abusive traffic, rate limiting enforces a policy that restricts request frequency from a source (such as an IP address, session, API key, or user identifier). This helps preserve availability by preventing any one client (or a small set of clients) from consuming a disproportionate share of application and infrastructure resources.

The key wording in the scenario is that “aggressive connections are delayed or dropped while most legitimate customers continue to use the service.” Rate limiting is designed for precisely this outcome: it introduces friction for abusive traffic patterns while allowing typical user behavior through. Depending on implementation, controls can respond with delays (throttling), temporary blocks, connection resets, or HTTP error responses (for example, “too many requests”) when limits are exceeded. This is commonly applied at the edge (reverse proxy/CDN), load balancer, WAF, or application gateway to reduce pressure on backend services.

Why the other options are not the best match:

Shutting Down Services (B) is an extreme measure that sacrifices availability to stop an attack; the scenario explicitly states service largely continues.

Absorb the Attack (C) refers to scaling capacity or using scrubbing centers/CDNs to handle volume without necessarily restricting individual requester behavior; the described control is specifically per-user request caps.

Degrading Services (D) generally means intentionally reducing functionality or quality (e.g., disabling non-essential features) to keep core services alive; here, the main technique is enforcing request-rate thresholds.

Thus, the countermeasure strategy being used is A. Rate Limiting.

TCP port 389 is the default port for LDAP (Lightweight Directory Access Protocol). The tester’s actions—performing an anonymous bind and querying directory contents with structured search filters to extract usernames and organizational information—are definitive indicators of LDAP enumeration. LDAP is commonly used for centralized directory services (including environments integrated with Active Directory via LDAP interfaces). If misconfigured to allow anonymous binds or overly permissive searches, an attacker can retrieve valuable identity and structure data.

The scenario describes obtaining usernames, departmental details, and organizational units (OUs). Those are typical LDAP directory attributes and containers. Enumerating them can directly support follow-on attack paths: building targeted password-spraying lists, crafting spear-phishing that references accurate internal roles, identifying privileged groups, and mapping the organization’s structure to prioritize high-value targets. Even without direct credential compromise, directory disclosure increases attacker effectiveness.

Why the other options are incorrect:

SMTP enumeration (A) focuses on email systems (e.g., VRFY/EXPN/RCPT TO behaviors) and typically uses TCP/25 or related mail ports, not 389.

DNS enumeration (B) involves querying DNS records (A/AAAA, MX, NS, TXT, zone transfers) and does not involve directory binds or LDAP filters.

NTP enumeration (D) relates to time services (UDP/123) and provides timing/monlist-style information, not user/OU directory attributes.

Because the service is on TCP/389 and the technique involves binds and directory searches, the correct classification is C. LDAP Enumeration.

The Certified Ethical Hacker (CEH) Web Application Hacking and DoS/DDoS module identifies Slowloris as an application-layer denial-of-service attack that targets web servers by maintaining a large number of half-open HTTP connections.

Slowloris works by sending partial HTTP requests very slowly, preventing the server from closing the connections. CEH documentation highlights that this attack does not rely on high bandwidth, making it difficult to detect using traditional network-based defenses.

Option C accurately matches the described symptoms and CEH’s definition.

Options A and B are network-layer flooding attacks, which were explicitly ruled out.

Option D is a packet fragmentation attack, not an application-layer DoS technique.

CEH stresses tuning connection timeouts and using reverse proxies as mitigations.

According to the Certified Ethical Hacker (CEH) IoT, OT, and SCADA Security module, side-channel attacks exploit indirect information leaks such as power consumption, electromagnetic emissions, timing variations, or thermal output rather than software vulnerabilities.

Option A is correct because monitoring hardware-level anomalies is the primary method for detecting side-channel exploitation. CEH materials emphasize that these attacks bypass traditional security controls.

Option B relates to cryptographic weaknesses, not side-channel analysis.

Option C addresses interface misuse, not covert data leakage.

CEH highlights that SCADA systems are especially vulnerable due to legacy hardware and limited monitoring capabilities.

The defense described—keeping user inputs separate from the SQL statement and binding them as fixed values before execution—is the defining characteristic of parameterized queries (prepared statements). This is one of the most effective and widely recommended countermeasures against SQL injection because it prevents attacker input from being interpreted as SQL code.

In a vulnerable application, developers often build SQL statements by concatenating strings, such as " SELECT ... WHERE user= ' " + input + " ' " . In that pattern, malicious payloads can alter the query structure (adding conditions, UNIONs, comments, or stacked queries). With prepared statements, the SQL engine receives the query structure first (the template), and then receives the parameter values separately. The database treats the parameters strictly as data, not executable SQL. As a result, even if an attacker submits quotes, keywords, or operators, those characters remain part of the parameter value and cannot change the query’s logic.

The scenario specifically says inputs are “bound as fixed values,” which is direct language associated with parameter binding. That makes option D the best answer.

Why the other options are less accurate:

User input validation (A) is helpful but can be bypassed and is not as robust as parameterization; also the described mechanism is not validation but binding separation.

Restrict database access (B) is a defense-in-depth measure (least privilege) that reduces impact, but it does not inherently stop injection from occurring.

Encoding the single quote (C) is a legacy/insufficient approach; encoding or escaping can be error-prone and DBMS-specific, and it does not match the description of parameters being bound separately.

Therefore, the application is using D. Use parameterized queries or prepared statements.

The Certified Ethical Hacker (CEH) Cryptography and Quantum Computing section introduces the concept known as “Harvest Now, Decrypt Later”. This threat model describes adversaries capturing encrypted data today, even if they cannot decrypt it immediately, with the expectation that future quantum computers will be able to break currently secure public-key algorithms such as RSA and ECC.

Option A accurately reflects this concept.

Option B describes a method (Shor’s algorithm) but not the threat model itself.

Option C is unrelated to cryptographic attacks.

Option D refers to quantum communication attacks, not classical encrypted data harvesting.

CEH emphasizes post-quantum cryptography as a mitigation strategy.

CEH materials describe this attack pattern as Living-off-the-Land (LotL), where attackers abuse legitimate tools to avoid detection. Because these binaries are normally trusted, traditional antivirus solutions may not flag them.

CEH recommends file integrity monitoring (FIM), which tracks cryptographic hashes of sensitive executables and alerts administrators when unauthorized modifications occur.

Option D is correct.

Options A and B support resilience but do not detect tampering.

Option C alone is insufficient against LotL attacks.

CEH identifies brute-force cryptanalysis as a method in which an attacker systematically tests every possible key, password, or passphrase until the correct one is found. When an attacker obtains initial bytes from an encrypted container—often referred to as known plaintext—they can use this to validate attempts as the tool iterates through candidate keys. Automated brute-force tools compare decrypted results with known header patterns, file signatures, or expected byte structures to determine when the correct key is reached. This process aligns precisely with brute-force password testing described in CEH cryptography modules. Quantum solving is not part of CEH scope, digest comparison relates to collision attacks, and analyzing output length pertains to padding oracle detection. The correct classification is automated brute-force cryptanalysis.