- Newest
- Most votes
- Most comments
Hello.
If an attacker is deliberately trying to stay below the threshold to avoid getting blocked by AWS WAF's rate-based rules, there are several additional strategies you can implement to identify and potentially block or rate-limit such behavior:
The most straightforward solution is to simply lower the threshold. If you observe patterns where users consistently send 80-95 requests per 5 minutes, lower the threshold to something like 60 or 70 requests.
Analyze Request Patterns: Look for patterns in the requests: Request Frequency: Are requests evenly spaced out, or do they come in bursts? User-Agents: Are they using known scraping tools, or perhaps all requests have the same or missing User-Agent? Request Content: Are they always requesting the same resources or sending the same POST data?
Instead of blocking, consider implementing a temporary allow-list. If a user exceeds a threshold, rather than blocking them, allow-list them for a certain period. If they continue to send requests at a high rate even when they're on the allow list, it's an indication they might be a bot and you can then consider blocking them.
Regards, Andrii
Directly blocking a device ID based on WAF (Web Application Firewall) rule violations is not standard practice or built-in functionality for AWS WAF or most other WAFs.
Relevant content
- Accepted Answerasked a year ago
- Accepted Answerasked a month ago
- asked 10 months ago
- AWS OFFICIALUpdated 2 months ago
- AWS OFFICIALUpdated 4 months ago
- AWS OFFICIALUpdated 2 months ago
- AWS OFFICIALUpdated 4 months ago
is it possible to block device id of an user automatically if the user is violating the waf rule ?
I might be missing something, but it appears the lowest setting for rate-based rules is 100. Can someone confirm?