An organization wants the ISP to automatically stop large UDP amplification floods before the attack saturates the 1 Gbps access circuit. The ISP already supports both remotely triggered black-hole (RTBH) routing and BGP FlowSpec. Which mitigation technique should the organization request to block only the malicious packets while still allowing legitimate traffic to reach the target subnet?
Activate host-based firewall rate limiting on the target server to throttle inbound UDP packets.
Inject a /32 null route via destination-based RTBH so the ISP discards all traffic to the victim host.
Implement source-based RTBH that drops traffic from the spoofed reflection networks.
Ask the ISP to deploy a BGP FlowSpec filter that matches the attack's UDP port and packet size.
BGP FlowSpec lets a customer (or the ISP's SOC) inject granular filtering rules-matching protocol, source or destination ports, packet size, and other Layer 3/4 fields-into the provider's BGP infrastructure. Routers that receive the FlowSpec NLRI discard only traffic that matches the rule, so legitimate packets for the same destination prefix continue to flow. Destination-based RTBH would null-route the entire /32 or /24, cutting off valid users, and source-based RTBH requires accurate attacker prefixes, which are rarely known during reflection or spoofed-source floods. Host-level firewalls cannot protect the congested WAN link.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is BGP FlowSpec and how does it work?
Open an interactive chat with Bash
Why is destination-based RTBH not ideal in this scenario?
Open an interactive chat with Bash
What challenges exist with source-based RTBH during UDP amplification attacks?
Open an interactive chat with Bash
What is UDP amplification in network attacks?
Open an interactive chat with Bash
How does BGP FlowSpec work in mitigating DDoS attacks?
Open an interactive chat with Bash
Why is RTBH routing less effective against UDP amplification attacks?
Open an interactive chat with Bash
Certified Ethical Hacker (CEH)
Network and Perimeter Hacking
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99
$19.99/mo
Billed monthly, Cancel any time.
3 Month Pass
$44.99
$14.99/mo
One time purchase of $44.99, Does not auto-renew.
MOST POPULAR
Annual Pass
$119.99
$9.99/mo
One time purchase of $119.99, Does not auto-renew.
BEST DEAL
Lifetime Pass
$189.99
One time purchase, Good for life.
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .