Breach of WAS WAF rate based rule by Attacker


I am using AWS WAF WEB ACL for protecting my API. I have configured rate based WAF rules for http flooding but this rate based rule will only block if hit from an IP crossed 100 times within 5 minutes. But attacker is more clever and he is using around 12000 different IP's to breach the rate based rule.

Lets say within 5 minute he is using 5 different IP's to send 20 or 30 or 40 hits. but rate based rule is configured to block 100 hit from single IP within 5 minutes. How can we handle such scenarios during brute force attack.

Please do let me know if any customization can be done to handle such scenarios ?


질문됨 5달 전222회 조회
2개 답변


I think the threshold of 100 times within 5 minutes is also quite low.
Even if it were possible to lower this even further, I think there is a possibility that normal requests would also be blocked.
For example, I think it would be possible to meet your requirements by creating a Lambda that automatically adds a specific IP address to the block list when it appears multiple times in the AWS WAF logs.

The answers below may be helpful.

profile picture
답변함 5달 전

You may want to consider evaluating the Bot Control managed rule - there is a feature in Targeted Bot Control which seeks to identify anomalous behavior consistent with distributed, coordinated bot activity. See the launch announcement here. Beyond that, the various other features of Bot Control may help you to mitigate the attack activity through the use of Challenge and Captcha actions.

Alternatively, if you're able to identify characteristics of the attack traffic that distinguish it from good traffic, you could adjust your rate-based rule to use a custom key rather than the Source IP. See the launch announcement for this feature here

답변함 4달 전

로그인하지 않았습니다. 로그인해야 답변을 게시할 수 있습니다.

좋은 답변은 질문에 명확하게 답하고 건설적인 피드백을 제공하며 질문자의 전문적인 성장을 장려합니다.

질문 답변하기에 대한 가이드라인