Breach of WAS WAF rate based rule by Attacker

0

I am using AWS WAF WEB ACL for protecting my API. I have configured rate based WAF rules for http flooding but this rate based rule will only block if hit from an IP crossed 100 times within 5 minutes. But attacker is more clever and he is using around 12000 different IP's to breach the rate based rule.

Lets say within 5 minute he is using 5 different IP's to send 20 or 30 or 40 hits. but rate based rule is configured to block 100 hit from single IP within 5 minutes. How can we handle such scenarios during brute force attack.

Please do let me know if any customization can be done to handle such scenarios ?

Thanks!!

已提問 5 個月前檢視次數 222 次
2 個答案
0

Hello.

I think the threshold of 100 times within 5 minutes is also quite low.
Even if it were possible to lower this even further, I think there is a possibility that normal requests would also be blocked.
For example, I think it would be possible to meet your requirements by creating a Lambda that automatically adds a specific IP address to the block list when it appears multiple times in the AWS WAF logs.

The answers below may be helpful.
https://repost.aws/questions/QU9CfoIJjeQka1XPeRCYeDbg/ban-a-user-after-being-blocked-by-waf-rule#AN9cWF9MQbSa6_FJizICGqRw

profile picture
專家
已回答 5 個月前
0

You may want to consider evaluating the Bot Control managed rule - there is a feature in Targeted Bot Control which seeks to identify anomalous behavior consistent with distributed, coordinated bot activity. See the launch announcement here. Beyond that, the various other features of Bot Control may help you to mitigate the attack activity through the use of Challenge and Captcha actions.

Alternatively, if you're able to identify characteristics of the attack traffic that distinguish it from good traffic, you could adjust your rate-based rule to use a custom key rather than the Source IP. See the launch announcement for this feature here

AWS
專家
Paul_L
已回答 4 個月前

您尚未登入。 登入 去張貼答案。

一個好的回答可以清楚地回答問題並提供建設性的意見回饋,同時有助於提問者的專業成長。

回答問題指南