Analyst & Research Reports

O'Reilly Modern Defense in Depth

Issue link:

Contents of this Issue


Page 25 of 53

applications. Routers are fully capable of implementing access con‐ trol lists (ACLs) that are designed to block certain classes of traffic as well as certain sources of traffic. Although providing traffic rout‐ ing is their primary responsibility, routers can also become aware of the shortest paths, fastest paths, and alternative routes to any desti‐ nation, while also providing redundancy and network resiliency. Integrating edge routers into all other defenses found downstream would serve to help protect these defenses themselves because edge routers are the first line. When used to their fullest ability, routers can become a critical line of defense. Concerning network security and availability, the most common usage of BGP from a service provider or large enterprise perspective is to use BGP to redirect unwanted traffic to a discard interface commonly called a remotely triggered black hole (RTBH). Here, vast amounts of unwanted traffic can be discarded right at the edge of any network. However, there is one drawback to using RTBH. This method of traffic discard normally focuses on the destination of the traffic and blocks all traffic intended for that destination. The real drawback here is that both good and unwanted traffic will be discarded, effec‐ tively taking the destination device or service completely offline. Because of the limitations when using RTBH, BGP flow specifica‐ tion, or FlowSpec, was created as a better method of discarding unwanted traffic at the edge-router layer. FlowSpec allows specific Network Layer Reachability Information (NLRI) to be defined, which expresses additional information about traffic filters put in place and what traffic should be discarded at the routers. Defensive Line 2: DDoS Defenses Distributed Denial-of-Service (DDoS) attacks are the oldest known cyberthreat to internet availability. Being around for more than two decades, DDoS attacks are still the attack of choice for threat actors looking to extort money via a warning of a pending outage or to take an organization offline due a host of other motivations. Today's DDoS attacks are much more sophisticated, blending multiple attack vectors into a single barrage of outage-inducing traffic. The need for DDoS defenses to not only protect networks, but also pro‐ tect DNS, websites, and applications, regardless of where they're located, is imperative to maintaining uptime. 16 | Chapter 3: Cloud-Based Lines of Defense for Web Application Security

Articles in this issue

view archives of Analyst & Research Reports - O'Reilly Modern Defense in Depth