Which statement is true regarding BGP FlowSpec?

Which statement is true regarding BGP FlowSpec?
A . It uses a remote triggered black hole to protect a network from a denial-of-service attack.
B . It uses dynamically created routing policies to protect a network from denial-of-service attacks
C . It is used to protect a network from denial-of-service attacks dynamically
D . It verifies that the source IP of the incoming packet has a resolvable route in the routing table

View Answer

Answer: B

Explanation:

BGP FlowSpec is a feature that extends the Border Gateway Protocol (BGP) to enable routers to exchange traffic flow specifications, allowing for more precise control of network traffic. The BGP FlowSpec feature enables routers to advertise and receive information about specific flows in the network, such as those originating from a particular source or destined for a particular destination. Routers can then use this information to construct traffic filters that allow or deny packets of a certain type, rate limit flows, or perform other actions1. BGP FlowSpec can also help in filtering traffic and taking action against distributed denial of service (DDoS) attacks by dropping the DDoS traffic or diverting it to an analyzer2. BGP FlowSpec rules are internally converted to equivalent Cisco Common Classification Policy Language (C3PL) representing corresponding match and action parameters2. Therefore, BGP FlowSpec uses dynamically created routing policies to protect a network from denial-of-service attacks.

References:

1: https://www.networkingsignal.com/what-is-bgp-flowspec/

2: https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/iproute_bgp/configuration/xe-16/irg-xe-16-book/bgp-flowspec-route-reflector-support.html