Breach of WAS WAF rate based rule by Attacker


I am using AWS WAF WEB ACL for protecting my API. I have configured rate based WAF rules for http flooding but this rate based rule will only block if hit from an IP crossed 100 times within 5 minutes. But attacker is more clever and he is using around 12000 different IP's to breach the rate based rule.

Lets say within 5 minute he is using 5 different IP's to send 20 or 30 or 40 hits. but rate based rule is configured to block 100 hit from single IP within 5 minutes. How can we handle such scenarios during brute force attack.

Please do let me know if any customization can be done to handle such scenarios ?


demandé il y a 5 mois222 vues
2 réponses


I think the threshold of 100 times within 5 minutes is also quite low.
Even if it were possible to lower this even further, I think there is a possibility that normal requests would also be blocked.
For example, I think it would be possible to meet your requirements by creating a Lambda that automatically adds a specific IP address to the block list when it appears multiple times in the AWS WAF logs.

The answers below may be helpful.

profile picture
répondu il y a 5 mois

You may want to consider evaluating the Bot Control managed rule - there is a feature in Targeted Bot Control which seeks to identify anomalous behavior consistent with distributed, coordinated bot activity. See the launch announcement here. Beyond that, the various other features of Bot Control may help you to mitigate the attack activity through the use of Challenge and Captcha actions.

Alternatively, if you're able to identify characteristics of the attack traffic that distinguish it from good traffic, you could adjust your rate-based rule to use a custom key rather than the Source IP. See the launch announcement for this feature here

répondu il y a 4 mois

Vous n'êtes pas connecté. Se connecter pour publier une réponse.

Une bonne réponse répond clairement à la question, contient des commentaires constructifs et encourage le développement professionnel de la personne qui pose la question.

Instructions pour répondre aux questions