Welcome to ExamTopics
ExamTopics Logo
- Expert Verified, Online, Free.
Mail Us [email protected]
Menu

Unlimited Access

Get Unlimited Contributor Access to the all ExamTopics Exams!
Take advantage of PDF Files for 1000+ Exams along with community discussions and pass IT Certification Exams Easily.
Amazon Discussions

Exam AWS Certified Security - Specialty topic 1 question 93 discussion

Exam question from Amazon's AWS Certified Security - Specialty
Question #: 93
Topic #: 1
[All AWS Certified Security - Specialty Questions]

An organization operates a web application that serves users globally. The application runs on Amazon EC2 instances behind an Application Load Balancer.
There is an Amazon CloudFront distribution in front of the load balancer, and the organization uses AWS WAF. The application is currently experiencing a volumetric attack whereby the attacker is exploiting a bug in a popular mobile game.
The application is being flooded with HTTP requests from all over the world with the User-Agent set to the following string: Mozilla/5.0 (compatible; ExampleCorp;
ExampleGame/1.22; Mobile/1.0)
What mitigation can be applied to block attacks resulting from this bug while continuing to service legitimate requests?

  • A. Create a rule in AWS WAF rules with conditions that block requests based on the presence of ExampleGame/1.22 in the User-Agent header
  • B. Create a geographic restriction on the CloudFront distribution to prevent access to the application from most geographic regions
  • C. Create a rate-based rule in AWS WAF to limit the total number of requests that the web application services.
  • D. Create an IP-based blacklist in AWS WAF to block the IP addresses that are originating from requests that contain ExampleGame/1.22 in the User-Agent header.
Show Suggested Answer Hide Answer
Suggested Answer: C 🗳️
by BillyC at Aug. 31, 2019, 11:34 p.m.
Disclaimers:
  • - ExamTopics website is not related to, affiliated with, endorsed or authorized by Amazon.
  • - Trademarks, certification & product names are used for reference only and belong to Amazon.

Comments

Chosen Answer:
This is a voting comment (?) , you can switch to a simple comment.
Switch to a voting comment New
Submit Cancel
josellama2000
Highly Voted 2 years, 7 months ago
Agreed. C is the best answer. An AWF rate-based rule will block any client which traffic (requests) are higher than a threshold that you set. A is may help for a little while until the attacker changes the header. Additonally, the rule in A may block also true users. The header Mozilla/5.0 (compatible; ExampleCorp; ExampleGame/1.22; Mobile/1.0). - Mozilla/5.0 is the agent - ExampleCorp is the manufacturer of the agent I.E. Microsoft - ExampleGame/1,2 is the OS or in this case the game's client application
upvoted 38 times
LaLune
2 years, 4 months ago
This is a game-based program. Using rate-based rule here can still block some legitimate traffic. However, rule based on specific string appearing on all request is efficient (option A).
upvoted 3 times
...
Larsson
2 years, 6 months ago
The attacker would not be able to change the header probably. They would have done it already
upvoted 3 times
...
refuz
2 years, 6 months ago
The question is: "What mitigation can be applied to block attacks resulting from this bug while continuing to service legitimate requests?". With C, you will block legitimate too. :) I think the correct answer is A.
upvoted 9 times
...
...
Danao
Highly Voted 2 years, 7 months ago
A is correct
upvoted 21 times
ramozo
2 years, 6 months ago
https://docs.aws.amazon.com/waf/latest/developerguide/classic-web-acl-string-conditions.html
upvoted 2 times
...
...
liuyomz
Most Recent 2 weeks, 4 days ago
Selected Answer: C
C. Blocking by this header would block all legitimate users playing this Game
upvoted 1 times
...
Raphaello
3 months ago
Selected Answer: A
The request is to block attacks. Rate-limiting the requests does not server with anything for this request. "But what happens if the attacker change the user-agent header?"..that's another question in another test! A is the correct answer.
upvoted 1 times
...
Raphaello
3 months ago
The request is to block attacks. Rate-limiting the requests does not server with anything for this request. "But what happens if the attacker change the user-agent header?"..that's another question in another test! A is the correct answer.
upvoted 1 times
...
liuyomz
9 months, 2 weeks ago
Selected Answer: C
C. Makes no sense to block that at "A", no normal request would work
upvoted 1 times
...
pk0619
10 months, 2 weeks ago
A What mitigation can be applied to block attacks resulting from this bug? UserAgent blocking will address this vulnerability . Yes- having a rate based rule in general will help from other floods, but the question here is about a specific vulnerability.
upvoted 1 times
...
matrpro
1 year ago
Selected Answer: A
A is the correct one. C could be right but bear in mind that the rate is per IP. In a DDoS, you can be flooded by millions of IPs that only access one time or by one IP that tries to access 1 million times. Then, by filtering per User agent you will block both scenarios when using a rate limit you will not. On tp of that, you could affect other legal traffic.
upvoted 1 times
...
ITGURU51
1 year, 1 month ago
C is the best answer given the context of the scenario because rate based filtering on the WAF allows legit traffic to pass through. The question clearly states that the security solution must not block legit traffic. All the other options would block legit users from accessing the gaming application. For example, Geolocation filtering or filtering/blocking according to specific strings found in the http request.
upvoted 1 times
...
bk02
1 year, 3 months ago
It doesn't mean only the attacker has the header it says all the requests has the header, WAF rule with user-agent then will block all the request including legitimate once , Hence the answer is C
upvoted 1 times
...
pooppants
1 year, 4 months ago
Selected Answer: A
I think A is the most likely. You can think about "edge" scenarios for both A & C. Rate limiting is for a single IP, so in a DDOS attack user could just switch IPs constantly and reach that threshold. Equally, I agree that an attacker could change the header... I'm going with A, as I think the wording of the question is hinting towards using WAF to restrict via header values.
upvoted 4 times
...
BK__
1 year, 6 months ago
Ans A https://aws.amazon.com/premiumsupport/knowledge-center/waf-block-http-requests-no-user-agent/
upvoted 1 times
BK__
1 year, 6 months ago
"To block traffic if the requests contain a specific User-Agent using a custom rule, do the following: .................... "On Statement, for Inspect, choose Single header. For Header field name, enter a name for the field. For example: User-Agent. For Match type, choose Contains string. For String to match, enter the value for your specific User-Agent to block. (Optional) Choose a Text transformation or choose None. For Action, choose Block." ........................."
upvoted 1 times
...
...
HieuTT
1 year, 6 months ago
i think C . Rate-based rules are compatible with existing AWS WAF match conditions. This allows you to further refine your match criteria and limit rate-based mitigations to specific URLs of your website or traffic coming from specific referrers (or user agents) or add other custom match criteria.
upvoted 1 times
...
knc
1 year, 7 months ago
Selected Answer: A
Rate based rule mentioned in 'C' would blindly reject the requests including the legitimate one. The correct solution is "A" which works on the specific header "ExampleGame/1" related to a bug in mobile game. So it will block only those requests and allow other.
upvoted 2 times
...
VijiTu
1 year, 7 months ago
Answer C https://aws.amazon.com/blogs/security/three-most-important-aws-waf-rate-based-rules/
upvoted 1 times
VijiTu
1 year, 7 months ago
Also refer the following link https://aws.amazon.com/blogs/gametech/ddos/ With AWS WAF you can protect web application components of your game, like landing pages, in-app purchasing, or APIs against application-layer threats or web request floods. AWS WAF allows you to define match conditions and combine these into an AWS WAF rule with the option to allow, block, or count. You can also use rate-based rules to temporarily block IP addresses that match a specified condition and access the application at an excessive rate. Examples of match conditions include string match, regex match, geographic match, size constraint match, cross-site scripting match, and SQL injection match.
upvoted 2 times
...
...
sapien45
1 year, 8 months ago
Selected Answer: A
both A and C would impact legitimate gamers. But A would be less impacting
upvoted 3 times
...
NanooWord
1 year, 8 months ago
Selected Answer: A
I think if company is using the AWS WAF then they know rate limiting as well. so they should be restrict the useragent to mitigate the issue.
upvoted 3 times
...
Load full discussion...

Get IT Certification

Unlock free, top-quality video courses on ExamTopics with a simple registration. Elevate your learning journey with our expertly curated content. Register now to access a diverse range of educational resources designed for your success. Start learning today with ExamTopics!

Start Learning for free
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel