Effective CISSP Questions

Your company sells toys online worldwide. A web-based E-Commerce system developed in-house supports the business. The EC system is suffering from the DDoS attack. Which of the following is the most effective mitigation strategy?
A. Enable the elastic network capability to deal with the massive amount of traffic
B. Implement a dynamic DNS to avoid the attack
C. Rotate the IPs of the web server farm in round-robin
D. Redirect the traffic to the scrubbing center

Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.

My suggested answer is D. Redirect the traffic to the scrubbing center.

DDoS Mitigation Strategy

There are two common DDoS mitigation strategies: DNS redirection and BGP routing. Both redirect traffic to the scrubbing center for cleansing, that is, to filter out malicious traffic and forward legitimate traffic.

Redirected Traffic Handling

  • Blackholing (aka Null routing) discards or drops all traffic without informing the source.  Even though the target of the attack will be inaccessible, null routing is often used on core routers to mitigate DDoS attacks before the packets reach a bottleneck.
  • Sinkholing directs the traffic from a list of known malicious IP addresses to the sinkhole.
  • Scrubbing routes all ingress traffic through a security service. Malicious network packets are identified based on their header content, size, type, point of origin, etc. The challenge is to perform scrubbing at an inline rate without causing lag or otherwise impacting legitimate users. (Source: imperva)

DNS Redirection

It is the DNS redirection or routing that redirects traffic to the scrubbing center mitigates the DDoS attack.

Dynamic DNS

Dynamic DNS (DDNS) is a method of automatically updating a name server in the Domain Name Server (DNS), often in real time, with the active DDNS configuration of its configured hostnames, addresses or other information.

Source: Dynamic DNS

The dynamic update operations may or may not be compliant with RFC 2136 and RFC 2845 (TSIG). Configuring web servers to update their IP addresses to DNS servers dynamically cannot avoid the attack and mitigate DDoS.

Round-robin DNS

Round-robin DNS is a technique of load distribution, load balancing, or fault-tolerance provisioning multiple, redundant Internet Protocol service hosts, e.g., Web server, FTP servers, by managing the Domain Name System’s (DNS) responses to address requests from client computers according to an appropriate statistical model. (Wikipedia)

Rotating the IPs of the web server farm in round-robin is a common design for load balancing. It won’t mitigate DDoS attacks.



My new book, The Effective CISSP: Security and Risk Management, helps CISSP aspirants build a solid conceptual security model. It is not only a tutorial for information security but also a study guide for the CISSP exam and informative reference for security professionals.

Leave a Reply