A network administrator is concerned about a particular server that is attacked occasionally from hosts on the Internet. The server is not critical; however, the attacks impact the rest of the network. While the company’s current ISP is cost effective, the ISP is slow to respond to reported issues. The administrator needs to be able to mitigate the effects of an attack immediately without opening a trouble ticket with the ISP. The ISP is willing to accept a very small network route advertised with a particular BGP community string. Which of the following is the BESRT way for the administrator to mitigate the effects of these attacks?
A. Use the route protection offered by the ISP to accept only BGP routes from trusted hosts on the Internet, which will discard traffic from attacking hosts.
B. Work with the ISP and subscribe to an IPS filter that can recognize the attack patterns of the attacking hosts, and block those hosts at the local IPS device.
C. Advertise a /32 route to the ISP to initiate a remotely triggered black hole, which will discard traffic destined to the problem server at the upstream provider.
D. Add a redundant connection to a second local ISP, so a redundant connection is available for use if the server is being attacked on one connection.
How to PASS CAS-004 in First Attempt?FULL Printable PDF and Software. VALID exam to help you PASS. |
 |
Maybe: B. Work with the ISP and subscribe to an IPS filter that can recognize the attack patterns of the attacking hosts, and block those hosts at the local IPS device?
According to the question: “. . . a particular server that is attacked occasionally from hosts on the Internet.”
Are these attacking hosts known, or unknown? I think we have to assume unknown, because even if the attacking hosts are known, it’s easy to attack from another host. Since the server is available to the internet, I assume the server must be open to unknown hosts. If the server only needs to be accessed from a limited number of known hosts, that could be accomplished by setting up a local firewall.
A. Use the route protection offered by the ISP to accept only BGP routes from trusted hosts on the internet, which will discard traffic from attacking hosts.
There is nothing in the question to indicate that the trusted hosts are known. Also, can the server do it’s job, if it can only be accessed from certain trusted hosts?
B. Work with the ISP and subscribe to an IPS filter that can recognize the attack patterns of the attacking hosts, and block those hosts at the local IPS device.
This might work. This seems to be the only answer that does not require the company to know, in advance, which hosts can be trusted, and which hosts cannot be trusted. Seems to be the best answer.
C. Advertise a /32 route to the ISP to initiate a remotely triggered black hole, which will discard traffic destined to the problem server at the upstream provider.
Here again, you would have to know, in advance, which hosts are trusted, and which hosts are not trusted. There is no indication that is known.
D. Add a redundant connection to a second local ISP, so a redundant connection is available for use if the server is being attacked on one connection.
This would not stop the server from being attacked, but would offer some redundancy if the server were attacked. I think it would make more sense to prevent the server from being attacked.
C
A and C are the only options that really address the issue in a possible way given the info.
A addresses a BGP vulnerability that is not the issue here. We are worried about filtering bad traffic.
C addresses the issue by allowing the admin to filter bad traffic. This not uncommon for mitigating ddos attacks at an ISP level, not as common at the ISP’s client level though.
C