// ExamRange

CSA (312-39) SOC Simulation Lab

Welcome to the SOC. In this interactive simulation, you will practice interpreting HTTP response codes within web server logs to diagnose application-layer (Layer 7) Denial of Service (DoS) attacks.

Scenario Context

You are an L2 SOC Analyst at a major retail organization. It's Black Friday, and your SIEM (QRadar) fires an alert: "High Application Error Rate on External ALB". Customer support is simultaneously flooded with complaints that the checkout page is timing out.

The Network Operations Center (NOC) claims it's not a volumetric DDoS because bandwidth utilization is normal. You query the AWS Application Load Balancer (ALB) access logs to see exactly how the web servers are responding to incoming traffic.

Security Environment

Review the snippet of the ALB access logs during the time of the reported outage.

# Fields: timestamp client_ip request_verb request_uri http_status response_time user_agent 2026-11-27T14:00:01Z 198.51.100.12 GET /checkout 200 0.05s "Mozilla/5.0..." 2026-11-27T14:00:02Z 203.0.113.45 GET /checkout 200 0.08s "Mozilla/5.0..." 2026-11-27T14:00:10Z 185.15.2.99 POST /api/v1/search?q=(complex_regex_payload) 500 15.4s "python-requests/2.25.1" 2026-11-27T14:00:11Z 185.15.2.99 POST /api/v1/search?q=(complex_regex_payload) 500 15.6s "python-requests/2.25.1" 2026-11-27T14:00:15Z 198.51.100.12 GET /checkout 503 30.0s "Mozilla/5.0..." 2026-11-27T14:00:16Z 203.0.113.45 GET /checkout 503 30.0s "Mozilla/5.0..."

Question

Identify the HTTP status codes that represents the server error.
SOC Hint: Look at the logs. Normal traffic gets a 200. When the backend application crashes or is unavailable due to resource exhaustion, you see codes like 500 (Internal Server Error) and 503 (Service Unavailable).
Senior SOC Analyst Debrief

Situation Report

The logs reveal a classic Layer 7 Resource Exhaustion attack (ReDoS - Regular Expression Denial of Service). An attacker script (python-requests) hit an unoptimized search API with complex payloads. This caused the backend server CPUs to spike to 100%, generating 500 Internal Server Error codes for the attacker. Shortly after, the entire application pool locked up, causing legitimate customers accessing the /checkout page to experience timeouts, resulting in 503 Service Unavailable codes.

Why Option D is Correct

5XX (Server Error). The 5xx class of status codes indicates that the server failed to fulfill an apparently valid request. In a SOC environment, a sudden, massive spike in 5XX codes is a critical Incident Response trigger. It often indicates a successful Denial of Service attack, a backend database crash, or a successful exploit (like SQLi or Buffer Overflow) that caused an unhandled application exception.

Why the Others Fail

B (4XX - Client Error): These codes (400, 401, 403, 404) mean the client made a mistake or is doing something forbidden. A spike in 404s usually means a vulnerability scanner (dirbuster) is hunting for hidden files. A spike in 403s means your WAF is actively blocking an attack. The server itself is healthy and responding properly to bad requests.

A (2XX - Success): The request was successfully received, understood, and accepted (e.g., 200 OK).

C (1XX - Informational): Indicates a provisional response, consisting only of the Status-Line and optional headers, and is terminated by an empty line (e.g., 100 Continue).

Mini Lesson: Hunting with HTTP Status Codes

Senior analysts use HTTP status codes as primary threat hunting pivots in SIEM dashboards:

  • High volume of 404s from a single IP: Indicates Web Directory brute-forcing. Action: Block IP at WAF.
  • High volume of 401s / 403s on /login: Indicates Credential Stuffing or Brute Force. Action: Implement Rate Limiting.
  • Sudden spike in 500s / 503s: Indicates a Layer 7 DoS (Slowloris, HTTP Flood, ReDoS) or a critical backend failure. Action: Investigate backend health and isolate malicious heavy queries.
  • Danger Pattern: A long string of 403s or 500s from an IP, suddenly followed by a 200 OK to a sensitive endpoint (e.g., /admin). This indicates the attacker finally guessed the right exploit or credentials and gained access.

Ready to level up your SOC skills?

Practice more real-world threat hunting and incident response scenarios based on the EC-Council CSA framework.

Explore More CSA Simulations