Exam CAS-003 topic 1 question 260 discussion

I wanted to go with D but there are a lot of resources that state IPSs fail at stopping DDOS attacks. I went with A because of different sources published from Cisco and others, including a cert guide: Remotely Triggered Black Hole (RTBH) filtering is a technique that uses routing protocol updates to manipulate route tables at the network edge, or anywhere else in the network, specifically to drop undesirable traffic before it enters the service provider network. One major area that needs to be mitigated is distributed denial-of-service (DDoS) attacks. For DDoS protection, once an attack is detected, black holing can be used to drop all DDoS attack traffic at the edge of an Internet service provider (ISP) network, based on either the destination or source IP address. Black holing is done by forwarding this traffic to a Null0 interface.

I eliminated B&C right away, because of cynical "enrollment" statement and WAF, respectively. "C" cannot be the answer, WAF is designed to protect a web app, not stop DDoS. Now, I go with "A" because null route would stop DDoS and working on RTBH is a long-term strategy, more viable than relying on IPS to stop DDoS. I don't know why, at our level which is CASP+, people still talk about IPS for DDoS prevention - that is not correct, and I will reference this article: https://blog.radware.com/security/2013/05/can-firewall-and-ips-block-ddos-attacks/ Another bad question with horrible solutions, but I pick A.

The answer should be A. The objective is to fix the issue for the next 4 hours. So the engineer should route the inbound web traffic to Null Interface. "D" tells to purchase an IPS to prevent DDoS which is not right.

D. The ISP engineer should begin refusing network connections to the web server immediately to restore Internet connectivity on campus. The university should purchase an IPS device to stop DDoS attacks in the future. Probably the best of these bad choices. The IPS would protect the server, and restore service. Need to accept the server being down until the IPS can be purchased and set up.

C. The ISP engineer should immediately begin blocking IP addresses that are attacking the web server to restore Internet connectivity. In the future, the university should install a WAF to prevent this attack from happening again. Seems like spoofed IPs are being generated at random, at a rate of hundreds or thousands per second. You would be playing whack-a-mole trying to stop individual IPs.

B. A university web server is under increased load during enrollment. The ISP engineer should immediately increase bandwidth to 2Gbps to restore Internet connectivity. In the future, the university should pay for more bandwidth to handle spikes in web server traffic. Way too many requests to be normal activity. Also, all incoming are from the same port numbe

A. The ISP engineer should null route traffic to the web server immediately to restore Internet connectivity. The university should implement a remotely triggered black hole with the ISP to resolve this more quickly in the future. This would shut the attack down and restore service, but your server is useless.

A = C = D = Shut off the server? At least in the short term, it seems to me that any of those choices do the same thing: shut off all access to the server. As to C: the only way to block "IP addresses attacking the server" would be to shut down all connections. There is no pattern to the IP address accessing the web server. Although C may give the best long term solution. Could B possibly be an answer? Hard to imagine that thousands of legit users would want to access the server in a second, which seems to be the case

D is the right answer. The ISP can throw an ACL in to look at the source port for every originating IP address going to the web server IP address and block anything trying to talk inbound.

C The ISP should block the DDoS IPs and a WAF protects your server against DDoS attacks. If you were going with D you might as well just unplug the server (why didn't you just turn it off if we're going to blacklist the SERVER???)