Asked by asdasdasd
vQuestion 3 of 10
A security analyst is monitoring the network traffic of a large organization. The analyst has noticed an unusual spike in network traffic and needs to determine the cause.
What is the MOST likely explanation for the unusual spike in network traffic?
answer
Network configuration issue
Background traffic
Heightened user activity
Distributed denial-of-service (DDoS) attack
All Answers 1
Answered by
GPT-5 mini
AI
Most likely: Heightened user activity.
Reasoning: Legitimate increases in user behavior (large file transfers, backups, software updates, scheduled batch jobs, media streaming, or a viral internal application) are the most common cause of temporary traffic spikes. DDoS or configuration problems are less frequent.
How to confirm and triage quickly:
- Check timing and correlation with business events (scheduled backups, patch windows, marketing campaigns).
- Use NetFlow/traffic analytics to see top talkers and top destinations.
- If a small number of internal hosts are sending/receiving most traffic → legitimate jobs or misconfigured hosts.
- If many external sources target one internal host with similar packets/ports → likely DDoS.
- If large volumes of broadcast/ARP traffic or internal flooding → possible switch/loop or configuration issue.
- Inspect firewall/IDS logs and packet captures for protocol/port patterns (SYN floods, UDP floods, repeated connections).
- Validate with systems teams if any updates or large jobs started.
- Remediate accordingly:
- Legitimate activity: schedule or throttle jobs, adjust QoS.
- DDoS: engage ISP/mitigation service, rate-limit or block offending traffic.
- Config issue: isolate faulty device/port, fix STP/configuration.
This approach helps distinguish the common benign cause (heightened user activity) from less common but serious causes (DDoS or network misconfiguration).
Reasoning: Legitimate increases in user behavior (large file transfers, backups, software updates, scheduled batch jobs, media streaming, or a viral internal application) are the most common cause of temporary traffic spikes. DDoS or configuration problems are less frequent.
How to confirm and triage quickly:
- Check timing and correlation with business events (scheduled backups, patch windows, marketing campaigns).
- Use NetFlow/traffic analytics to see top talkers and top destinations.
- If a small number of internal hosts are sending/receiving most traffic → legitimate jobs or misconfigured hosts.
- If many external sources target one internal host with similar packets/ports → likely DDoS.
- If large volumes of broadcast/ARP traffic or internal flooding → possible switch/loop or configuration issue.
- Inspect firewall/IDS logs and packet captures for protocol/port patterns (SYN floods, UDP floods, repeated connections).
- Validate with systems teams if any updates or large jobs started.
- Remediate accordingly:
- Legitimate activity: schedule or throttle jobs, adjust QoS.
- DDoS: engage ISP/mitigation service, rate-limit or block offending traffic.
- Config issue: isolate faulty device/port, fix STP/configuration.
This approach helps distinguish the common benign cause (heightened user activity) from less common but serious causes (DDoS or network misconfiguration).
Submit Your Answer
We prioritize human answers over AI answers.
If you are human, and you can answer this question, please submit your answer.