ExamTopics Logo
Mail Us[email protected]
Menu
Amazon Discussions
exam questions

Exam AWS Certified Security - Specialty All Questions

View all questions & answers for the AWS Certified Security - Specialty exam
Go to Exam

Exam AWS Certified Security - Specialty topic 1 question 93 discussion

Exam question from Amazon's AWS Certified Security - Specialty
Question #: 93
Topic #: 1
[All AWS Certified Security - Specialty Questions]

An organization operates a web application that serves users globally. The application runs on Amazon EC2 instances behind an Application Load Balancer.
There is an Amazon CloudFront distribution in front of the load balancer, and the organization uses AWS WAF. The application is currently experiencing a volumetric attack whereby the attacker is exploiting a bug in a popular mobile game.
The application is being flooded with HTTP requests from all over the world with the User-Agent set to the following string: Mozilla/5.0 (compatible; ExampleCorp;
ExampleGame/1.22; Mobile/1.0)
What mitigation can be applied to block attacks resulting from this bug while continuing to service legitimate requests?

  • A. Create a rule in AWS WAF rules with conditions that block requests based on the presence of ExampleGame/1.22 in the User-Agent header
  • B. Create a geographic restriction on the CloudFront distribution to prevent access to the application from most geographic regions
  • C. Create a rate-based rule in AWS WAF to limit the total number of requests that the web application services.
  • D. Create an IP-based blacklist in AWS WAF to block the IP addresses that are originating from requests that contain ExampleGame/1.22 in the User-Agent header.
Show Suggested Answer Hide Answer
Suggested Answer: A 🗳️
by BillyC at Aug. 31, 2019, 11:34 p.m.
Disclaimers:
  • - ExamTopics website is not related to, affiliated with, endorsed or authorized by Amazon.
  • - Trademarks, certification & product names are used for reference only and belong to Amazon.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
josellama2000
Highly Voted 3 years, 7 months ago
Agreed. C is the best answer. An AWF rate-based rule will block any client which traffic (requests) are higher than a threshold that you set. A is may help for a little while until the attacker changes the header. Additonally, the rule in A may block also true users. The header Mozilla/5.0 (compatible; ExampleCorp; ExampleGame/1.22; Mobile/1.0). - Mozilla/5.0 is the agent - ExampleCorp is the manufacturer of the agent I.E. Microsoft - ExampleGame/1,2 is the OS or in this case the game's client application
upvoted 40 times
LaLune
3 years, 3 months ago
This is a game-based program. Using rate-based rule here can still block some legitimate traffic. However, rule based on specific string appearing on all request is efficient (option A).
upvoted 3 times
...
Larsson
3 years, 5 months ago
The attacker would not be able to change the header probably. They would have done it already
upvoted 3 times
...
refuz
3 years, 5 months ago
The question is: "What mitigation can be applied to block attacks resulting from this bug while continuing to service legitimate requests?". With C, you will block legitimate too. :) I think the correct answer is A.
upvoted 10 times
...
...
Danao
Highly Voted 3 years, 7 months ago
A is correct
upvoted 22 times
ramozo
3 years, 5 months ago
https://docs.aws.amazon.com/waf/latest/developerguide/classic-web-acl-string-conditions.html
upvoted 2 times
...
...
shammous
Most Recent 6 months ago
Selected Answer: A
We want to "block" not "limit"! And is done using am AWS WAF rule.
upvoted 1 times
...
Dave1234532
11 months ago
Selected Answer: C
A would block everyone, including legitimate users. C would OCCASIONALLY block legitimate users potentially, but it wouldn't bring down the whole game.
upvoted 1 times
...
liuyomz
1 year ago
Selected Answer: C
C. Blocking by this header would block all legitimate users playing this Game
upvoted 1 times
virtual
5 months, 1 week ago
No ... "The application is being flooded with HTTP requests from all over the world with the User-Agent xxx" so the first goal is to block users with this user agent ... I think it's A.
upvoted 1 times
...
...
Raphaello
1 year, 2 months ago
Selected Answer: A
The request is to block attacks. Rate-limiting the requests does not server with anything for this request. "But what happens if the attacker change the user-agent header?"..that's another question in another test! A is the correct answer.
upvoted 1 times
...
Raphaello
1 year, 2 months ago
The request is to block attacks. Rate-limiting the requests does not server with anything for this request. "But what happens if the attacker change the user-agent header?"..that's another question in another test! A is the correct answer.
upvoted 1 times
...
liuyomz
1 year, 8 months ago
Selected Answer: C
C. Makes no sense to block that at "A", no normal request would work
upvoted 2 times
...
pk0619
1 year, 9 months ago
A What mitigation can be applied to block attacks resulting from this bug? UserAgent blocking will address this vulnerability . Yes- having a rate based rule in general will help from other floods, but the question here is about a specific vulnerability.
upvoted 1 times
...
matrpro
1 year, 11 months ago
Selected Answer: A
A is the correct one. C could be right but bear in mind that the rate is per IP. In a DDoS, you can be flooded by millions of IPs that only access one time or by one IP that tries to access 1 million times. Then, by filtering per User agent you will block both scenarios when using a rate limit you will not. On tp of that, you could affect other legal traffic.
upvoted 1 times
...
ITGURU51
2 years ago
C is the best answer given the context of the scenario because rate based filtering on the WAF allows legit traffic to pass through. The question clearly states that the security solution must not block legit traffic. All the other options would block legit users from accessing the gaming application. For example, Geolocation filtering or filtering/blocking according to specific strings found in the http request.
upvoted 1 times
...
bk02
2 years, 2 months ago
It doesn't mean only the attacker has the header it says all the requests has the header, WAF rule with user-agent then will block all the request including legitimate once , Hence the answer is C
upvoted 1 times
...
pooppants
2 years, 4 months ago
Selected Answer: A
I think A is the most likely. You can think about "edge" scenarios for both A & C. Rate limiting is for a single IP, so in a DDOS attack user could just switch IPs constantly and reach that threshold. Equally, I agree that an attacker could change the header... I'm going with A, as I think the wording of the question is hinting towards using WAF to restrict via header values.
upvoted 4 times
...
BK__
2 years, 5 months ago
Ans A https://aws.amazon.com/premiumsupport/knowledge-center/waf-block-http-requests-no-user-agent/
upvoted 1 times
BK__
2 years, 5 months ago
"To block traffic if the requests contain a specific User-Agent using a custom rule, do the following: .................... "On Statement, for Inspect, choose Single header. For Header field name, enter a name for the field. For example: User-Agent. For Match type, choose Contains string. For String to match, enter the value for your specific User-Agent to block. (Optional) Choose a Text transformation or choose None. For Action, choose Block." ........................."
upvoted 1 times
...
...
HieuTT
2 years, 5 months ago
i think C . Rate-based rules are compatible with existing AWS WAF match conditions. This allows you to further refine your match criteria and limit rate-based mitigations to specific URLs of your website or traffic coming from specific referrers (or user agents) or add other custom match criteria.
upvoted 1 times
...
knc
2 years, 6 months ago
Selected Answer: A
Rate based rule mentioned in 'C' would blindly reject the requests including the legitimate one. The correct solution is "A" which works on the specific header "ExampleGame/1" related to a bug in mobile game. So it will block only those requests and allow other.
upvoted 2 times
...
VijiTu
2 years, 6 months ago
Answer C https://aws.amazon.com/blogs/security/three-most-important-aws-waf-rate-based-rules/
upvoted 1 times
VijiTu
2 years, 6 months ago
Also refer the following link https://aws.amazon.com/blogs/gametech/ddos/ With AWS WAF you can protect web application components of your game, like landing pages, in-app purchasing, or APIs against application-layer threats or web request floods. AWS WAF allows you to define match conditions and combine these into an AWS WAF rule with the option to allow, block, or count. You can also use rate-based rules to temporarily block IP addresses that match a specified condition and access the application at an excessive rate. Examples of match conditions include string match, regex match, geographic match, size constraint match, cross-site scripting match, and SQL injection match.
upvoted 2 times
...
...
Load full discussion...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
exam
Someone Bought Contributor Access for:
SY0-701
London, 1 minute ago