0)What mitigation can be applied to block attacks resulting from this bug while continuing to service legitimate requests?

By:
In: SCS-C01
Tagged:
With: 1 Comment
An organization operates a web application that serves users globally.The application runs on Amazon EC2 instances behind an Application Load Balancer.There is an Amazon CloudFront distribution in front of the load balancer, and the organization uses AWS WAF.The application is currently experiencing a volumetric attack whereby the attacker is exploiting a bug in a popular mobile game.The application is being flooded with HTTP requests from all over the world with the User-Agent set to the following string: Mozilla/5.0 (compatible; ExampleCorp;ExampleGame/1.22; Mobile/1.

0)What mitigation can be applied to block attacks resulting from this bug while continuing to service legitimate requests?

Create a rule in AWS WAF rules with conditions that block requests based on the presence of ExampleGame/1.22 in the User-Agent header

Create a geographic restriction on the CloudFront distribution to prevent access to the application from most geographic regions

Create a rate-based rule in AWS WAF to limit the total number of requests that the web application services.

Create an IP-based blacklist in AWS WAF to block the IP addresses that are originating from requests that contain ExampleGame/1.22 in the User-Agent header.

Explanations:

Creating a rule in AWS WAF to block requests based on the presence ofExampleGame/1.22in the User-Agent header is an effective way to block malicious traffic while allowing legitimate requests to pass through. This directly targets the identified exploit (the user-agent string), making it a precise and focused mitigation strategy.

Geographic restrictions on CloudFront would block access from entire regions, which is too broad a measure. It could result in denying legitimate users from certain regions, which is not the most targeted approach to mitigating the attack.

A rate-based rule in AWS WAF would limit the total number of requests, but it may not be effective against a volumetric attack where the attacker sends a large number of requests in a short time from a wide range of IP addresses. Rate limiting may also affect legitimate users, particularly in regions or times with high traffic, making it less optimal for this scenario.

Blocking IP addresses based on the User-Agent header is not an effective strategy because the attack could originate from many different IP addresses, and blocking them would not prevent new IP addresses from being used in the attack. Additionally, legitimate users may also be affected if they share the same IP range as attackers.

2025-10-09

1 Comment

  1. William
    Author

    I structure that the answer is:
    Create a rule in AWS WAF rules with conditions that block requests based on the presence of ExampleGame/1.22 in the User-Agent header

Leave a Reply to William Cancel reply

Your email address will not be published. Required fields are marked *

four × one =