For the most recent update on ongoing service disruptions affecting the AWS Middle East (UAE) Region (ME-CENTRAL-1), refer to the AWS Health Dashboard. For information on AWS Service migration, see How do I migrate my services to another region?
WAF AntiDDoS AMR not work as expected
I am trying to set up the anti-ddos managed rule in AWS WAF following the blog https://aws.amazon.com/cn/blogs/networking-and-content-delivery/introducing-the-aws-waf-application-layer-ddos-protection/.
And I am sure that the configuration is correct as below. Only one single rule in ACL which associated with my ALB
After that, I tried to launch the load test from my laptop to simulate the DDOS attack.
wrk -t8 -c800 -d365s -H "User-Agent: flood-bot" http://nginx-lb-xxxxx.us-east-1.elb.amazonaws.com/
However, there is ** no request blocked or challenged at all**.
So anything wrong in my WAF configuration? Does WAF anti-ddos managed rule hard depend on the shield advanced subscription?
- Newest
- Most votes
- Most comments
The behavior you're experiencing with AWS WAF AntiDDoS AMR not blocking or challenging requests as expected is likely due to several factors related to how AWS WAF implements DDoS protection.
First, the AntiDDoS managed rule group needs time to profile your traffic patterns before it can effectively detect and mitigate attacks. It typically takes about 15 minutes after enabling the rule for it to begin understanding your normal traffic patterns and identify anomalous attack patterns.
Second, AWS WAF's rate-based rules and DDoS detection don't guarantee immediate blocking at exact thresholds. There are inherent delays in the detection and mitigation process. The system uses an algorithm that prioritizes recent requests when estimating current request rates, and it may take several minutes before AWS WAF detects and applies rate limiting or DDoS mitigations.
For your specific configuration, ensure that:
-
The AntiDDoS AMR is positioned with high priority in your web ACL (ideally at the top or just below any custom Allow rules) to ensure it has visibility into all traffic.
-
The ClientSideAction setting is properly enabled if you want to use the challenge capabilities.
-
You've allowed sufficient time for the rule to profile your traffic (at least 15 minutes).
-
Your test is generating traffic that would be recognized as a DDoS attack rather than just high volume legitimate traffic. The rule group is designed to distinguish between actual DDoS events and legitimate traffic spikes.
If you need more precise control over request rates, you might want to consider implementing additional rate-based rules with specific thresholds alongside the AntiDDoS managed rule group.
Sources
Introducing new application layer (L7) DDoS protections for AWS WAF and AWS Shield Advanced customers | Networking & Content Delivery
ClientSideAction - AWS WAFV2
Advanced Anti-DDoS protection using the AWS WAF Anti-DDoS managed rule group - AWS WAF, AWS Firewall Manager, AWS Shield Advanced, and AWS Shield network security director
AWS WAF Rules not working | AWS re:Post
We don't give exact details of how to reproduce, however:
- you need a traffic baseline - it doesn't look as though you have a baseline - just that one spike of requests labelled 'challengeable-request' - lay a baseline with a single client making low RPS over at least 15 minutes and up to 1-hour
- there should be more clients than usual - a single IP won't cut it - and these should be make statistically significant more RPS than the baseline RPS
- in real life there are other signals that we ingest that you would not be able to repro but it is possible to 'provoke' the rulegroup in a test situation
- you do not need Shield Advanced subscription
Relevant content
- asked 10 months ago
- asked 2 years ago
- AWS OFFICIALUpdated 2 years ago
1, the anti-ddos rule is the only single rule in acl. 2, the client is wrk(a load test tool) not browser, so i expected it should be challenged. 3, I have given WAF enough time to warmup and learn the traffic model before launching the load test. 4, simple rate limit rule doesn't apply to my case, attack comes from servel different annoymous ip but the frequency is not so high