A network administrator is concerned about a particular server that is attacked occasionally from hosts on the Internet.
The server is not critical; however, the attacks impact the rest of the network.
While the company's current ISP is cost effective, the ISP is slow to respond to reported issues.
The administrator needs to be able to mitigate the effects of an attack immediately without opening a trouble ticket with the ISP.
The ISP is willing to accept a very small network route advertised with a particular BGP community string.
Which of the following is the BEST way for the administrator to mitigate the effects of these attacks?
Click on the arrows to vote for the correct answer
A. B. C. D.C.
The network administrator's concern is that a particular server is being attacked occasionally from hosts on the internet, and these attacks impact the rest of the network. The administrator needs to mitigate the effects of the attack immediately without relying on the ISP.
Option A suggests using the route protection offered by the ISP to accept only BGP routes from trusted hosts on the Internet, which will discard traffic from attacking hosts. This approach assumes that the ISP offers route protection and that the attacking hosts can be identified as untrusted. While this may be a viable solution, it may not be the best approach, given that the ISP is slow to respond to reported issues.
Option B suggests working with the ISP and subscribing to an IPS filter that can recognize the attack patterns of the attacking hosts and block those hosts at the local IPS device. This approach requires coordination with the ISP, but it is more proactive than option A. The downside is that IPS filters may not be able to recognize all attack patterns, and there is a risk of false positives or blocking legitimate traffic.
Option C suggests advertising a /32 route to the ISP to initiate a remotely triggered black hole, which will discard traffic destined to the problem server at the upstream provider. This approach is a form of distributed denial of service (DDoS) protection that can quickly drop all traffic destined for the server, effectively mitigating the attack. However, this approach requires coordination with the ISP to configure the remotely triggered black hole, and there is a risk of accidentally blocking legitimate traffic.
Option D suggests adding a redundant connection to a second local ISP so that a redundant connection is available for use if the server is being attacked on one connection. This approach offers redundancy and may be useful for maintaining connectivity during an attack. However, this approach does not mitigate the effects of the attack and may require additional resources.
Overall, option C, advertising a /32 route to the ISP to initiate a remotely triggered black hole, is the BEST way to mitigate the effects of the attacks, as it can quickly drop all traffic destined for the server and does not require coordination with the ISP during the attack. However, this approach should be used cautiously and only as a last resort, as it can accidentally block legitimate traffic.