Exam CAS-004 topic 1 question 286 discussion

The source IP varies, the url, status, and user agent are always the same across the several hundred logs. So i think we can safely rule out A. Let's look at Option B and just by looking at the one sample, we would be adding the 151.205.188.74 address. the Hostname section Hostname:pool-151.205.188.74-nycmny.isp.net. This is an isp provider and it is providing an ip addres, this is NOT NAT. So it is safe to say that malicious activity is coming from this address. Looking at option C and just our sample, we would be blocking all of the address range 151.196.0.0 - 151.205.255.255. Which is not ideal but better than blocking all of the millions of users in staten island, like is happening now. Looking at Option D, and just this sample, we would be blocking 151.205.188.0 - 151.205.188.255 (i'm really guessing, i'm not sure about the cidr) no matter what that is still a large number of potentially legit traffic. The best option to meet the requirements of "BEST PROTECT the webserver WITHOUT blocking legitimate traffic" is B.

https://www.examtopics.com/exams/comptia/cas-004/view/6/

Option C, “Script the daily collection of the WHOIS ranges to add to the WAF as a denied ACL”, could potentially help in blocking malicious traffic. However, it might also block legitimate traffic if not managed carefully.

ChatGPT 3.5 suggested C (dynamically updating the WAF...)

This approach allows you to dynamically update the WAF with denied ACLs based on the WHOIS information related to the repeated malicious requests. It helps in blocking traffic associated with these ranges while still allowing legitimate traffic to access the web server. Other options such as replacing the file with a honeypot (Option A) might not directly address the ongoing issue of excessive traffic. Automating the addition of bot IP addresses into a deny list (Option B) might be too aggressive and could inadvertently block legitimate users. Blocking entire subnets (Option D) might also result in blocking legitimate users and may not be precise enough to target only the malicious traffic. Therefore, dynamically updating the WAF with denied ACLs based on WHOIS information provides a more targeted and effective approach to mitigate the issue without affecting legitimate users.

B. Automate the addition of bot IP addresses into a deny list for the web host. This will prevent the bots from accessing the web server at all, while still allowing legitimate traffic to pass through.

Blacklisting IP addresses based on bot-like behavior can be effective in the short term, but attackers can change their IPs. Also, there is a risk of blocking legitimate traffic if a legitimate user's behavior triggers the bot-like definition or if they share an IP with a bot (as is common with users behind NAT or using VPNs).