25. Match conditions: IPSets
CIDR はオクテット毎の設定:
• 192.0.0.0/8 – Matches 192.*.*.*
• 192.168.0.0/16
• 192.168.32.0/24
• 192.168.32.64/32 – IPアドレスべた指定は/32を使う
制限について
l IPSetあたり1,000 CIDRまで
l webACLあたり、CIDRはトータルで10,000まで
26. Match conditions: Strings and bytes
Webリクエストの内容と照合する
Host: www.example.com
User-Agent: Mozilla/5.0 (Macintosh; …
Accept: image/png,image/*;q=0.8,*/
*;q=0.5
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referrer: http://www.example.com/
Connection: keep-alive
AWS
WAF
RAW request headers
CloudFront
Check: Header
“Referrer”
Match Type: Contains
Match: “example.com”
Action: ALLOW
Rule
String match condition
Good users
27. Match conditions: Strings and bytes
Host: www.example.com
User-Agent: badbot
Accept: image/png,image/*;q=0.8,*/
*;q=0.5
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referrer: http://www.example.com/
Connection: keep-alive
AWS
WAF
RAW request headers
CloudFront
Check: Header “User-
Agent”
Match Type: Contains
Match: “badbot”
Action: BLOCK
Rule
String match condition
Scraper bot
28. Match conditions: Strings and bytes
“transforms”をつかってちょっとした変更には対応可能
Host: www.example.com
User-Agent: bAdBoT
Accept: image/png,image/*;q=0.8,*/
*;q=0.5
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referrer: http://
www.InTeRnEtkItTiEs.com/
Connection: keep-alive AWS
WAF
RAW request headers
CloudFront
Check: Header “User-
Agent”
Transform: To lower
Match Type: Contains
Match: “badbot”
Action: BLOCK
Rule
String match condition
Scraper bot
29. Match conditions: Strings and bytes
条件
1. Contains
2. Exact
3. Begins with
4. Ends with
5. Contains word
Transformation
1. Convert to lowercase
2. HTML decode
3. 空⽩除去
4. Simplify command line
5. URL decode
30. Match conditions: Strings and bytes
悪意のあるバイナリの発⾒にはBase64エンコードが使える
“iVBORw0KGgoAAAAN”
8950 4e47
0d0a 1a0a
0000 000d
bad.bin
1. Select binary file 2. Base64 encode 3. Set match criteria
$> base64 bad.bin
iVBORw0KGgoAAAAN