Breach of WAS WAF rate based rule by Attacker

0

I am using AWS WAF WEB ACL for protecting my API. I have configured rate based WAF rules for http flooding but this rate based rule will only block if hit from an IP crossed 100 times within 5 minutes. But attacker is more clever and he is using around 12000 different IP's to breach the rate based rule.

Lets say within 5 minute he is using 5 different IP's to send 20 or 30 or 40 hits. but rate based rule is configured to block 100 hit from single IP within 5 minutes. How can we handle such scenarios during brute force attack.

Please do let me know if any customization can be done to handle such scenarios ?

Thanks!!

2回答
0

Hello.

I think the threshold of 100 times within 5 minutes is also quite low.
Even if it were possible to lower this even further, I think there is a possibility that normal requests would also be blocked.
For example, I think it would be possible to meet your requirements by creating a Lambda that automatically adds a specific IP address to the block list when it appears multiple times in the AWS WAF logs.

The answers below may be helpful.
https://repost.aws/questions/QU9CfoIJjeQka1XPeRCYeDbg/ban-a-user-after-being-blocked-by-waf-rule#AN9cWF9MQbSa6_FJizICGqRw

profile picture
エキスパート
回答済み 5ヶ月前
0

You may want to consider evaluating the Bot Control managed rule - there is a feature in Targeted Bot Control which seeks to identify anomalous behavior consistent with distributed, coordinated bot activity. See the launch announcement here. Beyond that, the various other features of Bot Control may help you to mitigate the attack activity through the use of Challenge and Captcha actions.

Alternatively, if you're able to identify characteristics of the attack traffic that distinguish it from good traffic, you could adjust your rate-based rule to use a custom key rather than the Source IP. See the launch announcement for this feature here

AWS
エキスパート
Paul_L
回答済み 5ヶ月前

ログインしていません。 ログイン 回答を投稿する。

優れた回答とは、質問に明確に答え、建設的なフィードバックを提供し、質問者の専門分野におけるスキルの向上を促すものです。

質問に答えるためのガイドライン

関連するコンテンツ