Certified Ethical Hacker (CEH) — Question 62

Neil notices that a single address is generating traffic from its port 500 to port 500 of several other machines on the network. This scan is eating up most of the network bandwidth and Neil is concerned. As a security professional, what would you infer from this scan?

Answer options

• A. It is a network fault and the originating machine is in a network loop
• B. It is a worm that is malfunctioning or hardcoded to scan on port 500
• C. The attacker is trying to detect machines on the network which have SSL enabled
• D. The attacker is trying to determine the type of VPN implementation and checking for IPSec

Correct answer: D

Explanation

The correct answer is D because scanning on port 500 is associated with IPSec VPN implementations. This behavior suggests the attacker is trying to identify VPN setups. Options A and B do not accurately describe the scanning behavior related to port 500, and option C incorrectly attributes the scan to SSL detection, which is not linked to this port.