AWS WAF rate based rule

0

I have implemented waf security automation and as per this implementation if an user is trying to send more that 100 requests per 5 minute then that ip will be blocked.

I observed that user is trying to breach the threshold limit of rate based rule by sending less than 100 requests (lets say 95 or 85 or 80 requests) per 5 minutes.

How can we over come this issue and prevent attacker from breaching the threshold of rate based rule. is there any customized solution available for this issue ?

Thanks !

질문됨 7달 전360회 조회
2개 답변
1

Hello.

If an attacker is deliberately trying to stay below the threshold to avoid getting blocked by AWS WAF's rate-based rules, there are several additional strategies you can implement to identify and potentially block or rate-limit such behavior:

The most straightforward solution is to simply lower the threshold. If you observe patterns where users consistently send 80-95 requests per 5 minutes, lower the threshold to something like 60 or 70 requests.

Analyze Request Patterns: Look for patterns in the requests: Request Frequency: Are requests evenly spaced out, or do they come in bursts? User-Agents: Are they using known scraping tools, or perhaps all requests have the same or missing User-Agent? Request Content: Are they always requesting the same resources or sending the same POST data?

Instead of blocking, consider implementing a temporary allow-list. If a user exceeds a threshold, rather than blocking them, allow-list them for a certain period. If they continue to send requests at a high rate even when they're on the allow list, it's an indication they might be a bot and you can then consider blocking them.

Regards, Andrii

profile picture
전문가
답변함 7달 전
profile picture
전문가
검토됨 4일 전
  • is it possible to block device id of an user automatically if the user is violating the waf rule ?

0
수락된 답변

Directly blocking a device ID based on WAF (Web Application Firewall) rule violations is not standard practice or built-in functionality for AWS WAF or most other WAFs.

profile picture
전문가
답변함 7달 전
profile picture
전문가
검토됨 4일 전
profile pictureAWS
전문가
검토됨 7달 전

로그인하지 않았습니다. 로그인해야 답변을 게시할 수 있습니다.

좋은 답변은 질문에 명확하게 답하고 건설적인 피드백을 제공하며 질문자의 전문적인 성장을 장려합니다.

질문 답변하기에 대한 가이드라인

관련 콘텐츠