CompTIA CySA+ (CS0-003) — Question 283

A security analyst observes a high volume of SYN flags from an unexpected source toward a web application server within one hour. The traffic is not flagging for any exploit signatures.

Which of the following scenarios best describes this activity?

Answer options

• A. A legitimate connection is continuously attempting to establish a connection with a downed web server.
• B. A script kiddie is attempting to execute a DDoS through a ping flood attack.
• C. An attacker is executing reconnaissance activities by mapping which ports are open and closed.
• D. A web exploit attempt is likely occurring and the security analyst is not seeing it.

Correct answer: C

Explanation

The correct answer is C because the high volume of SYN flags suggests that the attacker is probing the server to discover open ports, which aligns with reconnaissance activities. Option A is incorrect as it implies a legitimate connection to a functioning server, while B mischaracterizes the type of attack, and D suggests an exploit attempt is happening without evidence of it being detected.