Question 18
Domain 3: Infrastructure SecurityAn organization operates a web application that serves users globally. The application runs on Amazon EC2 instances behind an Application Load Balancer. There is an Amazon CloudFront distribution in front of the load balancer, and the organization uses AWS WAF. The application is currently experiencing a volumetric attack whereby the attacker is exploiting a bug in a popular mobile game. The application is being flooded with HTTP requests from all over the world with the User-Agent set to the following string: Mozilla/5.0 (compatible; ExampleCorp; ExampleGame/1.22; Mobile/1.0) What mitigation can be applied to block attacks resulting from this bug while continuing to service legitimate requests?
Correct answer: A
Explanation
AWS WAF is designed to “apply restrictions at the edge based on various criteria,” including inspecting headers and blocking known attack patterns. Because the flood uses a fixed User-Agent string, a WAF rule matching “ExampleGame/1.22” in the User-Agent header blocks the malicious traffic while allowing legitimate requests with different headers.
Why each option is right or wrong
A. Create a rule in AWS WAF rules with conditions that block requests based on the presence of ExampleGame/1.22 in the User-Agent header.
AWS WAF supports header-based matching rules, and the relevant control here is a string match condition on the User-Agent header that contains the fixed token `ExampleGame/1.22`. Because the attack traffic is identifiable by that exact header value, the rule can block only those requests at the edge in front of CloudFront/ALB, while legitimate users with different User-Agent strings continue through. This aligns with AWS WAF’s edge filtering capabilities and avoids blunt rate-based or origin-side blocking that would disrupt normal global traffic.
B. Create a geographic restriction on the CloudFront distribution to prevent access to the application from most geographic regions.
Geographic restrictions block by location, not by a specific User-Agent signature.
C. Create a rate-based rule in AWS WAF to limit the total number of requests that the web application services.
Rate-based rules limit request volume, not requests matching a known bug signature.
D. Create an IP-based blacklist in AWS WAF to block the IP addresses that are originating from requests that contain ExampleGame/1.22 in the User-Agent header.
IP blacklists block source addresses; the attack indicator here is the User-Agent header.