AWS WAF rate limiting is not working as expected.

0

Hi,

I have a rest API deployed on ECS and fronted with an ALB. I set a rule on WAF to block DDOS attack. If there are more than 10 request in one minute, then the requests should block. However, it is not working as expected. When I send 150 request at the same time, Some time, 120 is returning 200 and 30 returning 429 response (I manually set on WAF in case of blocked response) Sometime, 110 returning 200 and 40 429 etc.

The expected case, 10 should return 200 and 140 should return 429 response.

Am I missing something?

Here is the rule JSON data:

{ "Name": "PreventDDOSAnonymousEndpoint", "Priority": 0, "Statement": { "RateBasedStatement": { "Limit": 10, "EvaluationWindowSec": 60, "AggregateKeyType": "IP", "ScopeDownStatement": { "ByteMatchStatement": { "SearchString": "/api/website/", "FieldToMatch": { "UriPath": {} }, "TextTransformations": [ { "Priority": 0, "Type": "LOWERCASE" } ], "PositionalConstraint": "STARTS_WITH" } } } }, "Action": { "Block": { "CustomResponse": { "ResponseCode": 429, "CustomResponseBodyKey": "DDOS-RESPONSE", "ResponseHeaders": [ { "Name": "test", "Value": "test" } ] } } }, "VisibilityConfig": { "SampledRequestsEnabled": true, "CloudWatchMetricsEnabled": true, "MetricName": "PreventDDOSAnonymousEndpoint" } }

profile picture
Efe
asked a month ago105 views
1 Answer
2

The 150 requests you are sending at the same time are most likely coming in at too high of a rate for the WAF to detect and limit them. AWS WAF will catch up and eventually trigger the rule.

Take a look at the Rate-based rule caveats for more detail.

Each time that AWS WAF estimates the rate of requests, AWS WAF looks back at the number of requests that came in during the configured evaluation window. Due to this and other factors such as propagation delays, it's possible for requests to be coming in at too high a rate for up to several minutes before AWS WAF detects and rate limits them. Similarly. the request rate can be below the limit for a period of time before AWS WAF detects the decrease and discontinues the rate limiting action. Usually, this delay is below 30 seconds.

profile pictureAWS
Tracy H
answered a month ago
profile picture
EXPERT
reviewed a month ago
profile pictureAWS
EXPERT
reviewed a month ago
  • Agreed. You need to take some WAF ramp-up time into account: so, your experiment should extend over a longer period (a few minutes) to start seeing the multiple parallel requests to be blocked.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions