Preventing Infected Devices from Sourcing DDoS Attacks
Question
You are a network designer and are responsible for ensuring that the network you design is secure.
How do you plan to prevent infected devices on your network from sourcing random DDoS attacks using forged source addresses?
Answers
Explanations
Click on the arrows to vote for the correct answer
A. B. C. D.D.
As a network designer, preventing infected devices on the network from sourcing random DDoS attacks using forged source addresses is critical to ensuring network security. In this scenario, there are four possible solutions to this problem: ACL-based forwarding, ACL filtering by destination, Unicast RPF loose mode, and Unicast RPF strict mode.
A. ACL-based forwarding:
ACL-based forwarding involves configuring access control lists (ACLs) on the routers in the network. These ACLs permit only valid traffic to enter and leave the network and discard traffic from known sources of attacks. In this case, ACLs can be used to drop traffic from infected devices attempting to source DDoS attacks with forged source addresses. This solution is effective, but it may be resource-intensive as ACLs must be configured on every router in the network, and it may be difficult to keep them updated to ensure proper security.
B. ACL filtering by destination:
ACL filtering by destination involves configuring ACLs to filter traffic based on destination IP addresses. In this case, ACLs can be used to drop traffic from infected devices attempting to send traffic to known targets of DDoS attacks. However, this solution may not be effective as DDoS attacks can target any IP address, and the source addresses may be randomly generated.
C. Unicast RPF loose mode:
Unicast Reverse Path Forwarding (RPF) is a security feature that checks the source address of incoming packets against the routing table to ensure that the packet arrived on the correct interface. Unicast RPF loose mode allows packets to be forwarded if the source address is reachable through any interface. In this case, Unicast RPF loose mode can be used to drop traffic from infected devices attempting to source DDoS attacks with forged source addresses. However, this solution may not be effective against attacks that use source addresses that are not in the routing table.
D. Unicast RPF strict mode:
Unicast RPF strict mode allows packets to be forwarded only if the source address is reachable through the interface on which the packet was received. In this case, Unicast RPF strict mode can be used to drop traffic from infected devices attempting to source DDoS attacks with forged source addresses. This solution is more effective than Unicast RPF loose mode, but it may cause legitimate traffic to be dropped if the source address is not reachable through the correct interface.
In conclusion, all the solutions mentioned above can help prevent infected devices from sourcing random DDoS attacks using forged source addresses, but they have their strengths and weaknesses. A combination of these solutions may provide the best security for the network.
