In IPsec ESP transport mode , the authentication process protects most of the ESP packet except the outer IP header and the authentication data field itself. Specifically, the authentication calculation covers the ESP header, the encrypted payload (such as the TCP header and application data), and the ESP trailer . The IP header is not included , because it may change during packet transmission, and the ESP authentication data field is also excluded because it stores the result of the authentication calculation.

Looking at the packet structure in the figure, the order is: IP Header → ESP Header → TCP Header → Data → ESP Tail → ESP Auth Data . The correct authentication range therefore begins at the ESP header and ends at the ESP tail , but it does not include the IP header or the ESP authentication data.

In the diagram, option 3 represents the range starting from the ESP header and ending at the ESP tail , which matches the actual authentication coverage of ESP in transport mode. Therefore, the correct answer is 3 .

A. Scanning attacks → Attackers use ICMP packets to probe the target IP address to identify active hosts that connect to the target network.

B. Malformed packet attacks → Attackers send considerable malformed packets in an attempt to crash targeted hosts or servers.

C. Special packet control attacks → Such attacks are reconnaissance activities for attacks but not real attacks. That is, attackers send special packets to probe network structures.

In HCIA-Security, single-packet attacks are commonly categorized by the purpose and structure of the packets being sent. Scanning attacks are mainly used to discover targets and collect information before a real attack begins. A common example is using ICMP probe packets to identify whether hosts are alive and reachable on a network. This makes the ICMP host-discovery description the correct match for scanning attacks.

Malformed packet attacks involve sending packets with abnormal, invalid, or deliberately corrupted structures. Their purpose is to exploit weaknesses in protocol handling or operating system processing so that the target host, device, or server becomes unstable, crashes, or stops responding. Therefore, the description about sending many malformed packets to crash targets clearly matches this category.

Special packet control attacks are also more related to probing than direct destruction. In this case, attackers send specially crafted control or probe packets to learn network structure, device behavior, or service characteristics. These activities are considered reconnaissance rather than full attacks. That is why the description about probing network structures with special packets belongs to special packet control attacks.

In Huawei firewall hot standby, the heartbeat link is mainly used to maintain the backup relationship and monitor peer status. Through this link, the two firewalls periodically exchange heartbeat packets to confirm whether the peer device is alive and operating normally. This makes statement B correct. The heartbeat link also carries VGMP-related packets , which help the devices determine their active or standby roles and decide whether a switchover is necessary when faults or status changes occur. Therefore, statement C is also correct.

In addition, the firewalls can exchange configuration consistency check information to verify whether key configurations on both devices match, so statement D is correct as well.

The incorrect statement is A . Configuration and status synchronization between hot standby firewalls is not described simply as heartbeat packets being used to synchronize configuration commands and status information. Heartbeat packets are mainly for liveness detection and status maintenance , while configuration or session synchronization is handled by dedicated hot standby synchronization mechanisms rather than ordinary heartbeat packets themselves. Therefore, A is the incorrect statement.

A Denial of Service attack is intended to make a host, server, or network service unavailable to legitimate users. It usually works by exhausting system resources such as bandwidth, CPU, memory, connection tables, or buffers, so valid users cannot access the service normally. Therefore, statement B is correct because the essential purpose of a DoS attack is to interrupt services or block resource access on the target.

Statement C is also correct. Many DoS attacks attempt to consume queue space, session resources, or buffers on the target so that new connection requests cannot be processed. This is a common way of making a service unavailable. Statement A can also be correct in the context of some DoS methods, because attackers may use IP spoofing to hide their identity, bypass simple filtering, or increase the difficulty of tracing the attack source.

Statement D is incorrect because DoS attacks are designed to affect availability , not to create unrecoverable physical damage to hardware. They may crash systems, overload services, or interrupt access, but they do not normally destroy the target device physically.

Application-layer protocols provide network services directly to user applications and define how clients and servers exchange application data. DNS is an application-layer protocol used to translate domain names into IP addresses (and perform related record lookups), enabling applications to locate services by name instead of by numeric address. Telnet is also an application-layer protocol that provides remote terminal access; it allows a user to interact with a remote system’s command-line interface over the network (though it is insecure because it transmits data in plaintext). HTTP is an application-layer protocol used for web communication, defining request/response behavior between browsers (clients) and web servers for transferring web pages and related content.

In contrast, ARP is not an application-layer protocol. ARP operates at the boundary of Layer 2/Layer 3 to map an IPv4 address to a MAC address on the local network segment, supporting frame delivery on Ethernet. Therefore, the application-layer protocols here are DNS, Telnet, and HTTP.