Which two options correctly describe Remote Triggered Black Hole Filtering (RFC 5635)? (Choose two.)
Click on the arrows to vote for the correct answer
A. B. C. D. E. F.AE.
Remote Triggered Black Hole (RTBH) Filtering is a technique used to mitigate Distributed Denial of Service (DDoS) attacks by quickly blocking malicious traffic from entering a network. RTBH is defined in RFC 5635 and it uses BGP (Border Gateway Protocol) to distribute blackhole routes to edge devices.
The correct options that describe RTBH are:
A. RTBH destination based filtering can drop traffic destined to a host based on triggered entries in the FI. B. RTBH source based filtering will drop traffic from a source destined to a host based on triggered entries in the RIB
Explanation: RTBH filtering can be configured based on the destination or source IP address of the traffic. In destination-based filtering, traffic destined to a host or a subnet is dropped based on triggered entries in the Forwarding Information Base (FIB) of the edge routers. In source-based filtering, traffic from a specific source address is dropped based on triggered entries in the Routing Information Base (RIB) of the core routers.
C. Loose uRPF must be used in conjunction with RTBH destination-based filtering. D. Strict uRPF must be used in conjunction with RTBH source-based filtering.
Explanation: Unicast Reverse Path Forwarding (uRPF) is a mechanism used to validate the source IP address of incoming packets against the routing table. In loose mode, if the source address of a packet is reachable through any interface of the router, the packet is accepted. In strict mode, if the source address is not reachable through the interface that the packet arrived, the packet is dropped. For destination-based RTBH filtering, loose uRPF is recommended to prevent false positives, while for source-based filtering, strict uRPF is required to prevent spoofed source addresses.
E. RTBH uses a discard route on the edge devices of the network and a route server to send triggered route updates.
Explanation: RTBH filtering uses a discard route on the edge routers to block traffic and a route server to distribute blackhole routes to the edge routers. When an attack is detected, the route server sends a triggered update to the edge routers, which then add the blackhole route to their FIB or RIB to drop the malicious traffic.
F. When setting the BGP community attribute in a route-map for RTBH use the no-export community unless BGP confederations are used then use local-as to.
Explanation: To implement RTBH filtering, BGP communities are used to tag the routes that should be blackholed. The most common community used is the no-export community, which prevents the blackhole route from being advertised beyond the local AS. If BGP confederations are used, the local-as community can be used to ensure that the blackhole route is not leaked to other confederations.
In summary, Remote Triggered Black Hole Filtering is a technique used to mitigate DDoS attacks by quickly blocking malicious traffic. RTBH can be configured based on the destination or source IP address of the traffic, and it uses BGP to distribute blackhole routes to edge routers. uRPF is used to validate the source IP address of incoming packets, and different modes of uRPF are recommended depending on the type of RTBH filtering used. BGP communities are used to tag the routes that should be blackholed, and the no-export community is commonly used to prevent the blackhole route from being advertised beyond the local AS.