A pharma company has deployed a new web application on multiple Amazon EC2 instances behind an Application Load Balancer and is protected by AWS WAF.
The Security Operations team was observing spam traffic from an IP address and instructed you to block immediately.
Further checks found that this IP address is accessing web applications from behind the proxy server. Which is the correct rule that can be applied to meet this requirement?
Click on the arrows to vote for the correct answer
A. B. C. D.Correct Answer: C.
Using AWS WAF, two types of rules can be set; regular rules & rate-based rules.
It considers the number of requests coming from a particular IP address in a five-minute interval with rate-based rules.
If those requests are exceeding threshold limits, AWS WAF would block the IP address.
Regular Rules simply allow or block a matching IP address.
Web request origin consists of the IP address of the proxy server & not of an originating client IP address.
In such cases, the originating client IP address is forwarded in the X-Forwarded-For HTTP header.
In the above case, since the IP address needs to be blocked immediately & is behind a proxy server, the AWS WAF rule matching IP address from the X-Forwarded-For HTTP header can suffice the requirement to block spam traffic from this IP address.
Options A & B are incorrect as IP addresses need to be blocked immediately, rate-based rules won't be an ideal option.
Option D is incorrect as traffic is from an IP address that is behind a proxy server, matching an IP address in web request origin won't be able to block the traffic.
In this case, web request origin consists of the IP address of the proxy server & not of the originating client.
For more information on AWS WAF rules for the forwarded IP addresses, refer to the following URL,
https://docs.aws.amazon.com/waf/latest/developerguide/waf-rule-statement-forwarded-ip-address.htmlThe correct rule that can be applied in this scenario is option B - Configure WAF rate-based rules to block matching IP addresses from the X-Forwarded-For HTTP header.
Explanation:
When a request passes through a proxy server, the proxy server adds an HTTP header called X-Forwarded-For. This header identifies the IP address of the client that made the request. In this scenario, the spam traffic is originating from the IP address that is being forwarded through the proxy server.
To block this IP address, we need to configure WAF rate-based rules to block matching IP addresses from the X-Forwarded-For HTTP header. Rate-based rules allow you to track the rate of requests from a particular IP address over time and take action based on that.
Option A, Configure WAF rate-based rules to block matching IP addresses for web request origin, is incorrect because it does not take into account the proxy server. Blocking IP addresses for web request origin will not work in this scenario because the IP address that needs to be blocked is being forwarded through the proxy server.
Option C, Configure WAF rule to block matching IP address from X-Forwarded-For HTTP header, is incorrect because it does not consider the rate of requests from the IP address. Blocking only the IP address in the header can be easily bypassed by changing the header value.
Option D, Configure WAF rule to block matching IP address for web request origin, is incorrect for the same reason as Option A. It does not consider the proxy server and will not be effective in blocking the IP address that is being forwarded through it.
In conclusion, Option B is the correct answer because it considers both the rate of requests from the IP address and the fact that it is being forwarded through a proxy server.