How do I use AWS WAF to mitigate DDoS attacks?
I want to use AWS WAF web access control lists (web ACLs) to mitigate distributed denial of service (DDOS) attacks at the application layer.
Short description
To use AWS WAF as the primary mitigation against application-layer DDoS attacks, take the following actions:
- Use rate-based rules.
- Review existing rate-based rules, and lower the rate limit threshold to block bad requests.
- Query the AWS WAF logs to gather specific information of unauthorized activity.
- Create a geographic match rule to block bad requests from a country that isn't expected for your business.
- Create an IP set match rule to block bad requests.
- Create a string match rule to block bad requests.
- Create a regex match rule to block bad requests.
- Create a label match rule to block bad requests.
- Turn on Bot Control and use the targeted protection level.
For infrastructure-layer attacks, use AWS services such as Amazon CloudFront and Elastic Load Balancing (ELB) to provide automatic DDoS protection. For more information, see AWS best practices for DDoS resiliency. You can also use AWS Shield Advanced Automatic Application Layer to mitigate against sophisticated attacks (layer 3-7). To learn more, see Shield Advanced automatic application layer DDoS mitigation.
Resolution
Use rate-based rules
Create a blanket rate-based rule
Use a blanket rate-based rule to set a threshold for the number of requests that IP addresses can make to your web application.
Complete the following steps:
- Open the AWS WAF console.
- In the navigation pane, choose AWS WAF, and then choose Web ACLs.
- For Region, select the AWS Region where you created your web ACL.
Note: If your web ACL is set up for Amazon CloudFront, then select Global. - Select your web ACL.
- Under Rules, choose Add Rules, and then choose Add my own rules and rule groups.
- To set up your rule, configure the following values:
For Rule Type, choose Rule builder.
For Name, enter a rule name.
For Type, choose Rate-based rule.
For Rate limit, enter a number between 100 and 20,000,000.
Note: If you're not sure what rate limit to set, then use the rule action to count and monitor your request patterns. Then, set a rate limit based on your baseline.
For Evaluation window, enter 1, 2, 5, or 10 minutes.
For IP address to use for rate limiting, select Source IP address or IP address in header.
For Rule Action, choose Block.
Note: After you submit a request rate change, you might experience a delay for AWS WAF to apply or remove the rule action.
For Scope of inspection, select Consider all requests. - Choose Add rule.
- Choose Save.
Create a custom key (URI path) rate-based rule
Complete the following steps:
- Open the AWS WAF console.
- In the navigation pane, choose AWS WAF, and then choose Web ACLs.
- For Region, select the Region where you created your web ACL.
Note: If your web ACL is set up for CloudFront, then select Global. - Select your web ACL.
- Under Rules, choose Add Rules, and then choose Add my own rules and rule groups.
- To set up your rule, configure the following values:
For Rule Type, choose Rule builder.
For Name, enter a rule name.
For Type, choose Rate-based rule.
For Rate limit, enter a number between 100 and 20,000,000.
Note: If you're not sure what rate limit to set, then use the rule action to count and monitor your request patterns. Then, set a rate limit based on your baseline.
For Request Aggregation, choose Custom keys.
For Request aggregation keys, select URI path.
For Text transformations, choose None.
For Criteria to count request towards rate limit, select Consider all requests.
For Rule Action, choose Block. - Choose Add rule.
- For Set Rule Priority, select your rule, and then update its priority. For more information, see Processing order of rules and rule groups in a web ACL.
- Choose Save.
For more information, see The three most important AWS WAF rate-based rules.
Review existing rate-based rules, and lower the rate limit threshold to block bad requests
Modify an existing rate-based rule
Complete the following steps:
- Open the AWS WAF console.
- In the navigation pane, choose AWS WAF, and then choose Web ACLs.
- For Region, select the Region where you created your web ACL.
Note: If your web ACL is set up for CloudFront, then select Global. - Select your web ACL.
- Choose Rules, and then select the rule that you want to update.
- Lower the Rate limit threshold as needed.
Note: To identify the number of requests that legitimate client IP addresses made, use the AWS WAF logs to analyze your traffic. This creates a traffic baseline. Don't set the limit threshold too low and block legitimate traffic. - Set the Rule action to Block.
- Choose Save rule.
- Choose Next.
Narrow the scope of requests that your rate-based rule tracks
Complete the following steps:
- Open the AWS WAF console.
- In the navigation pane, choose AWS WAF, and then choose Web ACLs.
- For Region, select the Region where you created your web ACL.
Note: If your web ACL is set up for CloudFront, then select Global. - Select your web ACL.
- Choose Rules, and then select the rule that you want to update.
- For Scope of inspection and rate limiting, select Only requests that match the criteria in rule statement.
Note: Scope of inspection and rate limiting statements work only when the request contains all the information that's specified in the rule. To inspect multiple values, use aggregation instances and counts. - Create a statement that checks if the IP address is from a specific country:
For If a request, select matches all of the statements (AND).
For Inspect, select Originates from a country in.
For Country Codes, enter the countries that you want to inspect.
For IP address to use for rate limiting, if the IP address is from a client IP address, then select Source IP address. If the IP address is from a different header, then select IP address in header. - Create a second statement that blocks specific bots:
For Inspect, select Single Header.
For Header field name, enter the name of the bot that you want to block as it appears in your AWS WAF logs.
For Match type, select Exactly matches string.
For String to match, enter the value of the bot that you want to block as it appears in your AWS WAF logs. - Choose Save Rule.
- Choose Next.
Query the AWS WAF logs to gather specific information of unauthorized activity
Turn on AWS WAF logging. Then, query the AWS WAF logs to investigate DDoS scenarios.
You can use the following AWS services to query AWS WAF logs:
Use the Amazon Athena log parser or AWS Lambda log parser
AWS WAF has a minimum acceptable rate limit for rate-based rules. If you can't use rate-based rules because of low volume or you need a customizable block period, then use a log parser in Athena or Lambda. Both services are available in Security Automations for AWS WAF.
Create a geographic match rule statement to block bad requests from a country that isn't expected for your business
Complete the following steps:
- Open the AWS WAF console.
- In the navigation pane, choose AWS WAF, and then choose Web ACLs.
- For Region, select the Region where you created your web ACL.
Note: If your web ACL is set up for CloudFront, then select Global. - Select your web ACL.
- Under Rules, choose Add Rules, and then choose Add my own rules and rule groups.
- For Name, enter a rule name, and then choose Regular Rule.
- For Request options, choose originates from a country in, and then choose the country codes that you want to block.
- For Rule action, choose Block.
- Choose Add rule.
For more information, see Geographic match rule statements.
Create an IP set match rule to block bad requests from specific IP addresses
Complete the following steps:
- Create an IP set, and then add the IP addresses that you want to block.
- Open the AWS WAF console.
- In the navigation pane, choose AWS WAF, and then choose Web ACLs.
- For Region, select the Region where you created your web ACL.
Note: If your web ACL is set up for CloudFront, then select Global. - Select your web ACL.
- Under Rules, choose Add Rules, and then choose Add my own rules and rule groups.
- For Name, enter a rule name, and then choose Regular Rule.
- Choose Create an IP match rule.
- For Request options, choose originates from an IP address in, and then choose your IP set.
- For Rule Action, choose Block.
- Choose Add Rule.
For more information, see IP set match rule statement.
Create a string match rule statement to block bad requests
Complete the following steps:
- Open the AWS WAF console.
- In the navigation pane, choose AWS WAF, and then choose Web ACLs.
- For Region, select the Region where you created your web ACL.
Note: If your web ACL is set up for CloudFront, then select Global. - Select your web ACL.
- Choose Create a string match rule.
- To set up your rule, configure the following values:
For Inspect, select Header.
For Header field name, enter the name of the bot that you want to block as it appears in your AWS WAF logs.
For Match Type, select Exactly matches string.
For String to Match enter the value of the bot that you want to block as it appears in your AWS WAF logs.
For Rule Action, choose Block. - Choose Add Rule.
For more information, see String match rule statement.
Create a regex match rule statement to block bad requests
Complete the following steps:
- Open the AWS WAF console.
- In the navigation pane, choose AWS WAF, and then choose Web ACLs.
- For Region, select the Region where you created your web ACL.
Note: If your web ACL is set up for CloudFront, then select Global. - Select your web ACL.
- Choose Create a string match rule.
- To set up your rule, configure the following values:
For Inspect, select URI path.
For Match type, select Matches regular expression.
For String to match, enter the regex that you want to block.
For Rule Action, choose Block. - Choose Add Rule.
For more information, see Regex match rule statement.
Create a label match rule statement to block bad requests
Other rules, such as Amazon Managed Rules or custom rules, add labels to your web requests. Use these labels to inspect and limit incoming requests.
Note: You can block only against labels that are already in your AWS WAF system. To create a new label, set up a managed rule group or custom rule group with the label.
To create a label match rule statement to block bad requests, complete the following steps:
- Open the AWS WAF console.
- In the navigation pane, choose AWS WAF, and then choose Web ACLs.
- For Region, select the Region where you created your web ACL.
Note: If your web ACL is set up for CloudFront, then select Global. - Select your web ACL.
- Under Rules, choose Add Rules, and then choose Add my own rules and rule groups.
- For Name, enter a rule name, and then choose Regular Rule.
- To set up your rule, configure the following values:
For If a request, select matches the statement.
For Match Scope, select Label.
For Match Key, enter all labels that you want to block. - For Rule Action, choose Block.
- Choose Add Rule.
Turn on Bot Control and use the targeted protection level
The targeted protection level for AWS WAF Bot Control uses a combination of rate limiting and CAPTCHA and the Challenge actions to decrease bot activity. For information about targeted Bot Control pricing, see Case F on the AWS WAF Pricing page.
To turn on Bot Control and the Targeted protection level, complete the following steps:
- Open the AWS WAF console.
- In the navigation pane, choose AWS WAF, and then choose Web ACLs.
- For Region, select the AWS Region where you created your web ACL.
Note: If your web ACL is set up for CloudFront, then select Global. - Select your web ACL, and then choose Add Managed Rule groups.
- Under AWS Managed Rule groups, for Paid rule groups, turn on Bot Control.
- Choose Edit, and then for Inspection level, select Targeted.
- Choose Save Rule.
Relevant content
- Accepted Answerasked 20 days agolg...
- asked 2 years agolg...
- Accepted Answerasked a year agolg...
- asked 2 years agolg...
- asked 4 months agolg...
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 6 months ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 10 months ago