What is the problem?
Despite the fact that DNS diversion is easier than BGP, BGP is the more complete one because DNS is not good for non-web services. It also does not protect against an attack directly on the IPs or network. The problem is that many organizations do not own a Class-C network that is a condition for BGP diversion, and BGP is not accessible to them.
What is the solution?
IP Protection is a method that overcomes the non-web service problem. The service provider provisions the customer an IP out of its own Class C network. Instead of using the customer’s Class C, the provider’s Class C is used. From here, the diversion continues like any other BGP diversion, and will commonly have a GRE tunnel to route traffic back to the customer.
IP Protection—and this is an important point to clarify—does not directly solve the attack problem because an attacker can still learn the organization’s IPs and attack them directly. However, just like in DNS diversion, there are workarounds to reasonably close this attack vector.
Is this the only solution to the problem?
No, L4 proxy is another solution to the problem (offered by F5). However, the number of vendors that offer a solution to the problem is still limited.
ARE YOU READY?
Answer seven online questions and get a free report assessing your protection status with recommendations for improvement