DDoS Protection Solutions for ISP Infrastructure

Implementing Dynamic Action at Border Routers

Question

A support engineer has been tasked to protect an ISP infrastructure from the growing number of DDoS attacks.

The should allow for a dynamic installation of an action at the border routers.

Which solution accomplishes these goals?

Answers

Explanations

Click on the arrows to vote for the correct answer

A. B. C. D. E.

E.

References:

The solution that accomplishes the goals of protecting an ISP infrastructure from DDoS attacks and allowing for dynamic installation of an action at the border routers is D. RTBH (Remotely Triggered Black Hole).

RTBH is a method of dealing with DDoS attacks in which a router is configured to drop all traffic destined for a specific IP address or range of IP addresses. This allows the ISP to quickly mitigate the effects of a DDoS attack by redirecting the traffic to a null interface or a black hole router. The RTBH approach is considered a proactive and cost-effective solution for DDoS mitigation.

In RTBH, when an attack is detected, the ISP sends a trigger to the border router to activate the RTBH feature. The trigger can be sent using several protocols, including BGP, SNMP, and syslog. Once activated, the RTBH feature will drop all traffic destined for the attacked IP address, which effectively blocks the attack at the network edge.

BGP (Border Gateway Protocol) is the most commonly used protocol for RTBH implementation because it allows for the dynamic installation of the black hole route. BGP L5 (BGP Layer 5) is a BGP extension that enables the distribution of RTBH trigger messages using BGP.

BTSH (Bi-directional Tunnel Setup and Hold) and MDS (Multicast Domain Security) authentication are not relevant solutions for mitigating DDoS attacks.

BGP FlowSpec (BGP Flow Specification) is a newer BGP extension that allows for more granular traffic filtering based on specific criteria such as source/destination IP, port, protocol, and packet length. While BGP FlowSpec can be used for DDoS mitigation, it requires more complex configuration and is not as widely adopted as RTBH.

In summary, the RTBH solution with BGP as the trigger protocol allows for dynamic installation of an action at the border routers to protect an ISP infrastructure from DDoS attacks.