Version 4.1 - 4.8 QoS marking attacks
This section is going to be very light. A QoS marking attack is when a hacker changes/manipulates the QoS marking to take advantage of the higher priority - or to consume the bandwidth available for priority packets. If there are any questions on this, it would be oriented towards this idea.
In practice, this is very different. If you've never been involved in this, let me tell you - it takes a lot of planning and effort to implement QoS correctly. Start with the commands being platform-dependent. You have to understand your entire network and know what kind of traffic is traversing which devices. And where are your phones? So once you get an idea of what you want marked on all your devices, then you have to actually deploy the commands on all those devices. [This can be quite an undertaking on an enterprise network.] And you have to get each one exactly correct - attention to detail is essential here. Now that you've done all that - realize that your markings are only going to probably be useful on your own network. Once that traffic goes to your ISP, the markings may be stripped. [To them - you are on an untrusted network.] Know that any time you expect the markings to be there and they are stripped (for whatever reason), you are going to get issues with voice and video. Choppy voice quality, jitter and delay are things you will hear often when trying to get this right.
So knowing this, it kind of seems a bit difficult to pull off a QoS marking attack. More likely than not, traffic coming from an "untrusted" port is going to lose any priority marking. For this exam, you probably don't have to know the details of QoS, but you should have a good overview of it. One of the things always pointed at for this topic is scavenger class traffic. You may want to review Cisco's page on DSCP and Precedence Values page.
One of the best uses of QoS is to mitigate malicious traffic. On this Quality of Service Design Overview page (which has a lot of good information), scroll down to the section "How Can I Use QoS Tools to Mitigate DoS/Worm Attacks?" (it's very far down the page). It gives you some very detailed information on the idea. Basically, if you have a phone, it's only going to use a certain amount of bandwidth. So if you have a 100M or gig connection to the switch, your phone is not going to use all that for voice traffic. In order to prevent someone from trying to send "other" traffic through the phone connection (so it gets marked as priority traffic), you can limit the amount of traffic allowed as priority and re-mark the rest as scavenger traffic.
And with that, I'm ending section 4. According to the blueprint, 48% of the exam has now been covered. However, the next two sections are probably the "meat" of the exam. Section 5.x covers Cisco products and 6.x covers Cisco technologies and solutions. Together, those two sections account for 34% of the exam. However, I think that many of the questions from the previous sections will be folded into the environment of sections 5 and 6.