A hospital in Austin has hosted its web-based medical records portal entirely in Oracle Cloud Infrastructure (OCI) using compute instances for its web-tier and DB System database for its data tier. To validate compliance with Health Insurance Portability and Accountability (HIPAA), the hospital hired an IT security professional to check their systems. It was found that there were a lot of unauthorized requests coming from a set of IP addresses originating from a county in Southeast Asia. Which option can mitigate this type of attack? (Choose the best answer.) 

Answer options:

A. Block the attacking IP addresses by creating a Security List rule to deny access to the subnet where the web server is running.
B. Block the attacking IP addresses by creating a Network Security Group rule to deny access to the compute instance where the web server is running.
C. Implementing an OCI Web Application Firewall Bot Management policy to identify the attacking IP addresses and mitigate the threat.
D. Block the attacking IP addresses by implementing an OCI Web Application Firewall policy using Access Control Rules.

A