Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

How do I use AWS WAF to mitigate DDoS attacks?

10 minute read
4

I want to use AWS WAF protection pack to mitigate distributed denial of service (DDoS) attacks at the application layer.

Short description

To use AWS WAF as the primary mitigation against application-layer DDoS attacks, take the following actions:

  • Use rate-based rules.
  • Query the AWS WAF logs to gather specific information of unauthorized activity.
  • Create a geographic match rule to block bad requests from a country that isn't expected for your business.
  • Create an IP set match rule to block bad requests.
  • Create a string match rule to block bad requests.
  • Create a regex match rule to block bad requests.
  • Turn on Bot Control and use the targeted protection level.
  • Use the Amazon IP reputation list managed rule group.

For infrastructure-layer attacks, use AWS services such as Amazon CloudFront and Elastic Load Balancing (ELB) to provide automatic DDoS protection. For more information, see AWS best practices for DDoS resiliency. You can also use AWS Shield Advanced Automatic Application Layer to mitigate against sophisticated attacks, such as layer 3-7. To learn more, see Automating application layer DDoS mitigation with Shield Advanced.

Resolution

Use rate-based rules

Create a blanket rate-based rule

Use a blanket rate-based rule to set a threshold for the number of requests that IP addresses can make to your web application.

Complete the following steps:

  1. Open the AWS WAF console.
  2. For Region, choose the AWS region where you created your protection pack.
  3. In the navigation pane, choose Resources & protection packs.
  4. On the right side of protection pack, select the icon next to region name to choose the protection pack.
  5. In your selected protection pack, select Rules.
  6. Select View and edit next to Rules to view or modify the rules associated with your protection pack.
  7. In the right pane for Manage rules choose Add rules.
  8. Choose Custom rule and select Next.
  9. Choose Rate based rule and select Next.
  10. To set up your rule, configure the following values:
    For Action, select Block.
    For Name, enter a rule name.
    For Rate limit, enter a number between 10 and 2,000,000,000.
    Note: If you're not sure what rate limit to set, then use the rule action to count and monitor your request patterns. Then, set a rate limit based on your baseline.
    For Evaluation window, enter 1, 2, 5, or 10 minutes.
    In the Rule configuration block dropdown:
    For IP address to use for rate limiting, select Source IP address or IP address in header.
    Note: After you submit a request rate change, you might experience a delay for AWS WAF to apply or remove the rule action.
    For Scope of inspection, select Consider all requests.
  11. Select Create Rule.

Create a custom key (URI path) rate-based rule

Complete the following steps:

  1. Open the AWS WAF console.
  2. For Region, choose the AWS region where you created your protection pack.
  3. In the navigation pane, choose Resources & protection packs.
  4. On the right side of protection pack, select the icon next to region name to choose the protection pack.
  5. In your selected protection pack, select Rules.
  6. Select View and edit next to Rules to view or modify the rules associated with your protection pack.
  7. In the right pane for Manage rules choose Add rules.
  8. Choose Custom rule and select Next.
  9. Choose Rate based rule and select Next.
  10. To set up your rule, configure the following values:
    For Action, select Block.
    For Name, enter a rule name.
    For Rate limit, enter a number between 10 and 2,000,000,000.
    Note: If you're not sure what rate limit to set, then use the rule action to count and monitor your request patterns. Then, set a rate limit based on your baseline.
    For Evaluation window, enter 1, 2, 5, or 10 minutes.
    In the Rule configuration block dropdown:
    Under Rule configuration select Custom Keys.
  11. For Request aggregation keys, select URI path.
  12. For Text transformations, choose None.
    Note: After you submit a request rate change, you might experience a delay for AWS WAF to apply or remove the rule action.
    For Scope of inspection, select Consider all requests.
  13. Select Create Rule.

For more information, see The three most important AWS WAF rate-based rules.

Query the AWS WAF logs to gather specific information of unauthorized activity

Turn on AWS WAF logging. Then, query the AWS WAF logs to investigate DDoS scenarios.

You can use the following AWS services to query AWS WAF logs:

Use the Amazon Athena log parser or AWS Lambda log parser

AWS WAF has a minimum acceptable rate limit for rate-based rules. If you can't use rate-based rules because of low volume or you need a customizable block period, then use a log parser in Athena or Lambda. Both services are available in Security Automations for AWS WAF.

Create a geographic match rule statement to block bad requests from a country that isn't expected for your business

Complete the following steps:

  1. Open the AWS WAF console.
  2. For Region, choose the AWS region where you created your protection pack.
  3. In the navigation pane, choose Resources & protection packs.
  4. On the right side of protection pack, select the icon next to region name to choose the protection pack.
  5. In your selected protection pack, select Rules.
  6. Select View and edit next to Rules to view or modify the rules associated with your protection pack.
  7. In the right pane for Manage rules choose Add rules.
  8. Select Geo-based rule.
  9. To set up your rule, configure the following values:
    For Rule action, choose Block.
    For Name, enter a rule name.
    Under statement choose the country codes that you want to block.
  10. Select Create Rule.

For more information, see Geographic match rule statement.

Create an IP set match rule to block bad requests from specific IP addresses

Complete the following steps:

  1. Open the AWS WAF console.
  2. For Region, choose the AWS region where you created your protection pack.
  3. In the navigation pane, choose Resources & protection packs.
  4. On the right side of protection pack, select the icon next to region name to choose the protection pack.
  5. In your selected protection pack, select Rules.
  6. Select View and edit next to Rules to view or modify the rules associated with your protection pack.
  7. In the right pane for Manage rules choose Add rules.
  8. Choose IP based rule and select Next.
  9. To set up your rule, configure the following values:
    For Rule action, choose Block.
    For Name, enter a rule name.
    Under statement activate Use existing IP set and choose the IP set.
  10. Select Create Rule.

For more information, see IP set match rule statement.

Create a string match rule statement to block bad requests

Complete the following steps:

  1. Open the AWS WAF console.
  2. For Region, choose the AWS region where you created your protection pack.
  3. In the navigation pane, choose Resources & protection packs.
  4. On the right side of protection pack, select the icon next to region name to choose the protection pack.
  5. In your selected protection pack, select Rules.
  6. Select View and edit next to Rules to view or modify the rules associated with your protection pack.
  7. In the right pane for Manage rules choose Add rules.
  8. Choose Custom rule and select Next.
  9. Choose Custom rule again and select Next.
  10. For Rule action, choose Block.
  11. To set up your rule, configure the following values:
    For Name, enter a rule name.
    For If the request, select match the statement.
    For Inspect, choose Header.
    For Header field name, enter the name of the bot you want to block as it appears in your AWS WAF logs.
    For Match Type, select Exactly matches string.
    For String to Match enter the value of the bot that you want to block as it appears in your AWS WAF logs.
  12. Select Create Rule.

For more information, see String match rule statement.

Create a regex match rule statement to block bad requests

Complete the following steps:

  1. Open the AWS WAF console.
  2. For Region, choose the AWS region where you created your protection pack.
  3. In the navigation pane, choose Resources & protection packs.
  4. On the right side of protection pack, select the icon next to region name to choose the protection pack.
  5. In your selected protection pack, select Rules.
  6. Select View and edit next to Rules to view or modify the rules associated with your protection pack.
  7. In the right pane for Manage rules choose Add rules.
  8. Choose Custom rule and select Next.
  9. Choose Custom rule again and select Next.
  10. To set up your rule, configure the following values:
    For Rule action choose Block.
    For Name enter a rule name.
    Choose match the statement under If the request
    For Inspect choose URI Path.
    For Match type select Matches regular expression.
    For String to match enter the regex that you want to block.
    For Rule Action choose Block.
  11. Select Create Rule.

For more information, see Regex match rule statement.

Turn on Bot Control and use the targeted protection level

The targeted protection level for AWS WAF Bot Control uses a combination of rate limiting and CAPTCHA and the Challenge actions to decrease bot activity. For information about targeted Bot Control pricing, see Case F on the AWS WAF Pricing page.

To turn on Bot Control and the Targeted protection level, complete the following steps:

  1. Open the AWS WAF console.
  2. For Region, choose the AWS region where you created your protection pack.
  3. In the navigation pane, choose Resources & protection packs.
  4. On the right side of protection pack, select the icon next to region name to choose the protection pack.
  5. In your selected protection pack, select Rules.
  6. Select View and edit next to Rules to view or modify the rules associated with your protection pack.
  7. In the right pane for Manage rules choose Add rules.
  8. Choose AWS-managed rule group and select Next.
  9. Under Paid select Bot Control rule group.
  10. Under Inspection level select Targeted.
  11. Select Create rule.

Use the Amazon IP reputation list managed rule group

The AWSManagedIPReputationList managed rule group uses Amazon internal threat intelligence to identify IP addresses that have actively engaged in DDoS activities.

To turn on the Amazon IP reputation list managed rule group, complete the following steps:

  1. Open the AWS WAF console.
  2. For Region, choose the AWS region where you created your protection pack.
  3. In the navigation pane, choose Resources & protection packs.
  4. On the right side of protection pack, select the icon next to region name to choose the protection pack.
  5. In your selected protection pack, select Rules.
  6. Select View and edit next to Rules to view or modify the rules associated with your protection pack.
  7. In the right pane for Manage rules choose Add rules.
  8. Choose AWS-managed rule group and select Next.
  9. Under Free rules, select AmazonIpReputationList.
  10. Select Create rule.
Topics
Security, Identity, & Compliance
Tags
AWS WAF
Language
English

Related videos

Watch Jyothsna’s video to learn more (6:42)
Watch Jyothsna’s video to learn more (6:42)
AWS OFFICIALUpdated 7 months ago
No comments

Relevant content