Block IP addresses in WAF if the client caused an excessive amount of 404 errors


Hi AWS Builders.

What are the options to block an IP address (or IP range) in the WAF if the client caused an excessive amount of 404 errors in a certain time period?

My setup contains a WAFv2 ACL attached to an Application LB, CloudFront, and a varying number of EC2 instances (auto-scaling). I understand that the WAF already features rate-based rules but these don't take the HTTP return codes into account. CloudWatch also offers a range of metrics and can trigger an alarm if 4xx errors exceed a certain threshold. However, I don't see an option to include client's IP addresses here.

The only way forward seems to be Athena to query the ELB logs in S3, but this sounds disproportionately complicated as I also have to build a solution that adds IP addresses to a block list in the WAF and removes them after some time.

Thanks, Yarpen

3 Answers

Since AWS WAF judges by request, we believe that the WAF function alone cannot judge by response.

As you are aware, querying the logs and blocking the IP address would be one way to do this.

profile picture
answered a year ago

Hi Yarpen.

I may be wrong but I don't believe that is something WAF can do. From the documentation:

An AWS WAF rule defines how to inspect HTTP(S) web requests and the action to take on a request when it matches the inspection criteria. You define rules only in the context of a rule group or web ACL.

Based on that, note that WAF inspects web requests, not responses. It won't know that a request produced an HTTP 404 error.

You can define rules that inspect for criteria like the following:

  • Scripts that are likely to be malicious. Attackers embed scripts that can exploit vulnerabilities in web applications. This is known as cross-site scripting (XSS).
  • IP addresses or address ranges that requests originate from.
  • Country or geographical location that requests originate from.
  • Length of a specified part of the request, such as the query string.
  • SQL code that is likely to be malicious. Attackers try to extract data from your database by embedding malicious SQL code in a web request. This is known as SQL injection.
  • Strings that appear in the request, for example, values that appear in the User-Agent header or text strings that appear in the query string. You can also use regular expressions (regex) to specify these strings.
  • Labels that prior rules in the web ACL have added to the request.

In addition to statements with web request inspection criteria, like the ones in the preceding list, AWS WAF supports logical statements for AND, OR, and NOT that you use to combine statements in a rule.

For example, based on recent requests that you've seen from an attacker, you might create a rule with a logical AND statement that combines the following nested statements:

  • The requests come from
  • They contain the value BadBot in the User-Agent header.
  • They appear to include SQL-like code in the query string.

What I think can work is, setup a CloudWatch Alarm for your desired 4xx error threshold and consume the alarms from EventBridge. Use EventBridge to trigger a Lambda function that examines the event and adjust the webACL to block the IP addresses.

I hope this helps.

profile pictureAWS
answered a year ago
  • Thanks for you reply, Jose. I understand that the WAF is not able to inspect responses but I don't understand how a CloudWatch alarm consumed by EventBridge could help.

    The CloudWatch alarm event contains the information that a certain threshold of, for example, 4xx errors has been exceeded. The event, however, does not contain any details about the clients' IP addresses, which I could pass to Lambda to update the WAF ACL. Where do I get this information from?

    Thanks Yarpen

  • My apologies, you are correct.


To do this, you will have to rely on log analysis. Take a look at the Security Automations for AWS WAF solution. It includes a log parsing component which would align to what you're trying to do, and will potentially save you some time trying to build it yourself.

answered a year ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions