AWS WAF rate based rule

0

I have implemented waf security automation and as per this implementation if an user is trying to send more that 100 requests per 5 minute then that ip will be blocked.

I observed that user is trying to breach the threshold limit of rate based rule by sending less than 100 requests (lets say 95 or 85 or 80 requests) per 5 minutes.

How can we over come this issue and prevent attacker from breaching the threshold of rate based rule. is there any customized solution available for this issue ?

Thanks !

gefragt vor 7 Monaten549 Aufrufe
2 Antworten
1

Hello.

If an attacker is deliberately trying to stay below the threshold to avoid getting blocked by AWS WAF's rate-based rules, there are several additional strategies you can implement to identify and potentially block or rate-limit such behavior:

The most straightforward solution is to simply lower the threshold. If you observe patterns where users consistently send 80-95 requests per 5 minutes, lower the threshold to something like 60 or 70 requests.

Analyze Request Patterns: Look for patterns in the requests: Request Frequency: Are requests evenly spaced out, or do they come in bursts? User-Agents: Are they using known scraping tools, or perhaps all requests have the same or missing User-Agent? Request Content: Are they always requesting the same resources or sending the same POST data?

Instead of blocking, consider implementing a temporary allow-list. If a user exceeds a threshold, rather than blocking them, allow-list them for a certain period. If they continue to send requests at a high rate even when they're on the allow list, it's an indication they might be a bot and you can then consider blocking them.

Regards, Andrii

profile picture
EXPERTE
beantwortet vor 7 Monaten
profile picture
EXPERTE
überprüft vor 12 Tagen
  • is it possible to block device id of an user automatically if the user is violating the waf rule ?

0
Akzeptierte Antwort

Directly blocking a device ID based on WAF (Web Application Firewall) rule violations is not standard practice or built-in functionality for AWS WAF or most other WAFs.

profile picture
EXPERTE
beantwortet vor 7 Monaten
profile picture
EXPERTE
überprüft vor 12 Tagen
profile pictureAWS
EXPERTE
überprüft vor 7 Monaten

Du bist nicht angemeldet. Anmelden um eine Antwort zu veröffentlichen.

Eine gute Antwort beantwortet die Frage klar, gibt konstruktives Feedback und fördert die berufliche Weiterentwicklung des Fragenstellers.

Richtlinien für die Beantwortung von Fragen