GIAC Certified Incident Handler (GCIH) — Question 146

Which of the following is an effective method of detecting a covert communication tunnel such as ptunnel?

Answer options

• A. Rejecting incoming UDP packets with source port < 1024
• B. Capturing outgoing HTTP traffic at unusual times
• C. Restricting ICMP port unreachables with a non-zero payload
• D. Detecting ICMP packets with uncommon payloads

Correct answer: C

Explanation

The correct answer, C, is effective because it targets a specific behavior of covert tunnels that often use non-standard payloads. Other options do not directly address the detection of covert communication methods as effectively; for instance, A focuses on UDP packets which might not be relevant, and B is too broad, while D is less specific to the nature of covert tunnels.