Your company sells toys online worldwide. A web-based E-Commerce system developed in-house supports the business. The EC system is suffering from the DDoS attack. Which of the following is the most effective mitigation strategy?
A. Enable the elastic network capability to deal with the massive amount of traffic
B. Implement a dynamic DNS to avoid the attack
C. Rotate the IPs of the web server farm in round-robin
D. Redirect the traffic to the scrubbing center
Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.
My suggested answer is D. Redirect the traffic to the scrubbing center.
DDoS Mitigation Strategy
There are two common DDoS mitigation strategies: DNS redirection and BGP routing. Both redirect traffic to the scrubbing center for cleansing, that is, to filter out malicious traffic and forward legitimate traffic.
Redirected Traffic Handling
- Blackholing (aka Null routing) discards or drops all traffic without informing the source. Even though the target of the attack will be inaccessible, null routing is often used on core routers to mitigate DDoS attacks before the packets reach a bottleneck.
- Sinkholing directs the traffic from a list of known malicious IP addresses to the sinkhole.
- Scrubbing routes all ingress traffic through a security service. Malicious network packets are identified based on their header content, size, type, point of origin, etc. The challenge is to perform scrubbing at an inline rate without causing lag or otherwise impacting legitimate users. (Source: imperva)
DNS Redirection
It is the DNS redirection or routing that redirects traffic to the scrubbing center mitigates the DDoS attack.
Dynamic DNS
Dynamic DNS (DDNS) is a method of automatically updating a name server in the Domain Name Server (DNS), often in real time, with the active DDNS configuration of its configured hostnames, addresses or other information.
Source: Dynamic DNS
The dynamic update operations may or may not be compliant with RFC 2136 and RFC 2845 (TSIG). Configuring web servers to update their IP addresses to DNS servers dynamically cannot avoid the attack and mitigate DDoS.
Round-robin DNS
Round-robin DNS is a technique of load distribution, load balancing, or fault-tolerance provisioning multiple, redundant Internet Protocol service hosts, e.g., Web server, FTP servers, by managing the Domain Name System’s (DNS) responses to address requests from client computers according to an appropriate statistical model. (Wikipedia)
Rotating the IPs of the web server farm in round-robin is a common design for load balancing. It won’t mitigate DDoS attacks.
Reference
- DDoS Mitigation
- What is DDoS blackhole routing?
- Black hole (networking)
- DNS sinkhole
- Botnet sinkhole
- Using BGP to Reroute Traffic during a DDoS
- What is a DDoS Attack?
- Scrubbing Center
- How traffic scrubbing can guard against DDoS attacks
- GÉANT DDoS Cleansing and Alerting
- Detecting and Preventing DDoS Attacks in SDN-Based Data Center Networks
- AWS WAF – Web Application Firewall
- Complete Web Application Firewall Guide
- BGP: Path Selection Criteria – Path Vector Protocol
- DDoS Mitigation and RTBH
- Round-robin DNS
- 如何抵擋Tb級DDoS攻擊
A BLUEPRINT FOR YOUR SUCCESS IN CISSP
My new book, The Effective CISSP: Security and Risk Management, helps CISSP aspirants build a solid conceptual security model. It is not only a tutorial for information security but also a study guide for the CISSP exam and informative reference for security professionals.
- It is available on Amazon.
- Readers from countries or regions not supported by Amazon can get your copy from the author’s web site.