Conducting Forensic Analysis and Incident Response Using Cisco Technologies (CBRFIR) — Question 25

An engineer received a call to assist with an ongoing DDoS attack. The Apache server is being targeted, and availability is compromised. Which step should be taken to identify the origin of the threat?

Answer options

• A. An engineer should check the list of usernames currently logged in by running the command $ who | cut ""d' "˜ -f1| sort | uniq
• B. An engineer should check the server's processes by running commands ps -aux and sudo ps -a.
• C. An engineer should check the services on the machine by running the command service -status-all.
• D. An engineer should check the last hundred entries of a web server with the command sudo tail -100 /var/log/apache2/access.log.

Correct answer: D

Explanation

The correct answer is D because checking the access log will provide information about recent requests to the server, which can help identify the source of the DDoS attack. The other options focus on user sessions, processes, and services, which do not directly reveal the origin of incoming traffic affecting the server's availability.