How can I use AWS WAF to help prevent brute force login attacks?

Resolution

The following AWS WAF features help prevent brute force login attacks:

• Rate-based rules
• CAPTCHA puzzles
• AWS WAF Fraud Control account takeover prevention (ATP) managed rule group
• Security Automations for AWS WAF

Rate-based rules

To block requests when the request rate is higher than expected, create a rate-based rule statement. To establish the threshold for a rate-based rule, turn on AWS WAF logging. Then, depending on your logging destination, use Amazon Athena or Amazon CloudWatch Log Insights to analyze your logs.

You can also create a rate-based rule statement that's specific to a URI path, such as /login. Brute force attacks typically target login pages to gain access to account credentials. Different pages on a website might receive different rates of requests. For example, a home page might receive a higher rate of traffic compared to a login page.

After you establish a threshold, use the following scope-down statement to create a rate-based rule statement that's specific to your login page:

• For Inspect Request, choose URI path.
• For Match type, choose Starts with string.
• For String to match, choose /login.

CAPTCHA puzzles

CAPTCHA puzzles can help prevent the following attacks:

• Brute force attacks from bots
• Credential stuffing
• Web scraping
• Spam requests to servers

When you create a rule with the CAPTCHA action, users must first complete the CAPTCHA before they log in.

To set up CAPTCHA on your login page, use the following rule configuration:

• For Inspect, choose URI path.
• For Match Type, choose Starts with string.
• For String to match, choose /login.
• For Action, choose CAPTCHA.
• For Immunity time, choose Time in seconds.
  Note: To help prevent brute force attacks from a human, set a low immunity time.

For more information, see Best practices for using the CAPTCHA and Challenge actions.

ATP managed rule group

To inspect malicious requests that try to take over your account, use the ATP managed rule group. For example, brute force login attacks can use trial and error to guess credentials to gain unauthorized access to your account.

The ATP managed rule group contains predefined rules that provide visibility and control over unexpected requests and login attempts.

To inspect requests, use the following subset of rules in the ATP managed rule group:

• VolumetricIpHigh: High volumes of requests that individual IP addresses send.
• AttributePasswordTraversal: Attempts that use password traversal.
• AttributeLongSession: Attempts that use long-lasting sessions.
• AttributeUsernameTraversal: Attempts that use username traversal.
• VolumetricSession: High volumes of requests that individual sessions send.
• MissingCredential: Credentials that are missing.

For more information, see Account takeover prevention rules listing.

Security Automations for AWS WAF

To use an AWS CloudFormation template to deploy a web access control list (web ACL) with a set of rules, run Security Automations for AWS WAF.

When an unauthorized user tries to guess the correct credentials, the user receives an error response, such as 401 Unauthorized. The Scanners and probes rule blocks requests from an IP address that continuously receives a specific response code. When you turn on this rule, Security Automations for AWS WAF deploys an AWS Lambda or Athena query that checks logs for HTTP response codes. Set a threshold for how many times a request can receive the same error code and how long the rule blocks requests that exceed the threshold.

Related information

Using rate-based rule statements in AWS WAF