DDoS Resilience with AWS WAF

7 minute read

Content level: Advanced

I'm under attack!! How can I protect myself using AWS WAF?

This article applies to all AWS layer 7 services that support AWS WAF (i.e. have a web ACL associated). If you're using CloudFront distributions, read this alongside the companion article DDoS Resilience - The Unbelievable Importance of HTTP Caching. Preventing malicious requests from reaching your origin is best achieved through a defence-in-depth approach: use AWS WAF to block clearly malicious requests, and HTTP caching to serve requests on behalf of the origin as a second layer of defence.

This article begins with WAF rule types included in the standard WAF request pricing ($0.60 per 1 million requests for inspection up to 1,500 WCUs), and concludes with the flagship layer 7 anti-DDoS managed rule group (additional request pricing).

Rate-Based Rules

AWS strongly recommends protecting against HTTP request floods by using rate-based rules in AWS WAF. These rules automatically block or challenge requests matching a specific aggregation key (IP address by default) when the request count within a configurable sliding window exceeds a threshold you define. Offending client IPs receive an HTTP 403 Forbidden response (or a configured custom error response) and remain blocked until request rates drop below the threshold.

Layer your rate-based rules for enhanced protection:

A blanket catch-all rule to protect your application from large HTTP floods.
A rule with a custom aggregation key such as Header(Host) + URI + query string + IP, at more restrictive rates than the blanket rule. This is particularly effective against DDoS because botnets typically hit the same URL repeatedly.

Rule name:          rbr_host_uri_ip_ddos
Rule type:          rate-based
Scope-down:         none
Limit:              <a low number>
Evaluation window:  300
Aggregation key:    custom — Header(Host) + URI + query string + IP
Action:             BLOCK

One or more rules to protect specific URIs, especially uncacheable endpoints, at more restrictive rates than the blanket rule.

Rule name:          rbr_api
Rule type:          rate-based
Scope-down:         if uri_path starts_with '/api'
Limit:              <a low number>
Evaluation window:  300
Aggregation key:    default — IP
Action:             BLOCK

For example, you might set a blanket rate-based rule (no scope-down) with a limit of 500 requests per 5-minute window, then create additional rules with lower limits (as low as 10 requests per 10-minute window) using scope-down statements:

Web pages — scope-down: if NOT uri_path contains '.' to protect requests for resources without a file extension. This also covers your homepage (/), a frequently targeted URI path.
Dynamic endpoints — scope-down: if method exactly matches 'POST' (case-insensitive)
Heavy requests hitting your database or invoking OTPs — scope-down: if uri_path starts_with '/login' OR uri_path starts_with '/signup' OR uri_path starts_with '/forgotpassword'
Non-target geolocations — use lower limits for geo-locations (country codes) or ASNs outside your target demographic.

Together with IP reputation rule groups (discussed below), rate-based rules in Block mode are the cornerstone of a defence-in-depth WAF configuration. They are also a requirement for Shield Advanced cost protection requests to be approved.

IP Reputation Rule Groups

To block attacks based on IP reputation, you can match IPs against custom IP sets you maintain, or use the AWS WAF Managed IP Reputation rule groups. From a DDoS perspective, the two most important rules are:

AWSManagedIPDDoSList within the AWSManagedRulesAmazonIpReputationList rule group
AnonymousIPList within the AWSManagedRulesAnonymousIpList rule group

AWSManagedIPDDoSList

The AWSManagedRulesAmazonIpReputationList rule group includes rules informed by Amazon's internal threat intelligence teams. These identify IPs that are bots, performing reconnaissance against AWS resources, or actively participating in DDoS attacks. The AWSManagedIPDDoSList rule specifically targets IPs recently seen in DDoS attacks against other AWS customers and has been observed matching 60–90% of requests during layer 7 request flood attacks.

It defaults to Count mode, but surges in matching traffic are a strong indicator of a DDoS attempt. AWS recommends adding this rule group to your web ACL and taking one of the following actions for the AWSManagedIPDDoSList rule:

Move it to Block or Captcha mode, OR
Leave it in Count mode and create a subsequent rate-based rule using a custom aggregation key with the WAF label namespace awswaf:managed:aws:amazon-ip-list:.

Note: Even when the AWSManagedRulesAmazonIpReputationList rule group is set to Block in the web ACL, the AWSManagedIPDDoSList rule remains in Count unless you explicitly edit the rule group to move it to Block.

The best option depends on what constitutes "normal" for your application and your ability to absorb small floods of malicious traffic. In practice, websites either receive a steady trickle of traffic matching this rule, or never see any matches unless under attack.

To determine your baseline, add the rule group to your web ACL and use CloudWatch AWS/WAFv2 CountedRequests metrics to identify whether your application receives matching traffic during peacetime. You can also use WAF logs to pivot to specific IPs and assess whether their request patterns look like normal user behaviour. Then make an informed decision to Block, Challenge, or create a rate-based rule.

If you choose a rate-based rule rather than blocking outright (most customers choose to block), it would look like this:

Rule name:          rbr_ipddoslist
Rule type:          rate-based
Scope-down:         if label matches 'awswaf:managed:aws:amazon-ip-list:AWSManagedIPDDoSList'
Limit:              <a low number>
Evaluation window:  300
Aggregation key:    custom — label namespace 'awswaf:managed:aws:amazon-ip-list:'
Action:             BLOCK

AnonymousIPList

The AWSManagedRulesAnonymousIpList rule group blocks requests from services that obfuscate viewer identity, including VPNs, proxies, Tor nodes, and non-AWS cloud platforms.

Requests matching the AnonymousIPList rule are strong candidates for malicious activity, including DDoS. Consider moving this rule to Block. However, be cautious with the HostingProviderIPList rule — it's a blunt instrument, and many customers move it to Count mode within the rule group.

Challenge Rule Action

DDoS botnets are built for maximum damage at minimum cost to the operator. They are generally unsophisticated script-based bots that cannot process JavaScript. The Challenge rule action asks the client to perform a JavaScript proof-of-work and present evidence via a token (the aws-waf-token cookie) before the request is permitted. It has a high efficacy rate against DDoS botnets.

Challenge has a slightly higher cost per request than standard WAF rule actions, so you may want to combine it with rate-based rules or only deploy it during an active attack where availability is impacted.

The token can only be acquired via HTTP GET requests with an Accept header containing text/html (i.e. page requests), unless prior client-side integration has been done. Once acquired, the token is presented on subsequent requests for the same domain until the cookie TTL expires. Do not configure a Challenge response for non-page requests unless the aws-waf-token has already been acquired.

Block Unused URI Paths

Block access to unused URI paths using AWS WAF. The most obvious example is the / path on an API endpoint, which would typically return HTTP 404 (Not Found).

Also consider blocking file extensions you don't serve:

if NOT uri_path matches regex .*\.(css|js|png|jpg|svg|woff2|html|json)$ AND uri_path contains '.'

Blocking these paths prevents high-volume request floods on non-existent URLs from overwhelming your target group (ALB) or origin (CloudFront).

Layer 7 Anti-DDoS Managed Rule Group

Additional WAF charges apply unless you are a Shield Advanced subscriber.

The anti-DDoS managed rule group (AWS-AWSManagedRulesAntiDDoSRuleSet) provides layer 7 request flood detection and mitigation. It serves as both a pay-as-you-go alternative to the Shield Advanced subscription ($3,000/month per organization + Shield Data Transfer Out charges for protected resources) and is included in Shield Advanced pricing for protected resources. It represents the future of layer 7 detection and mitigation at AWS.

Key features:

Forms a resource baseline (while not under attack) in as little as 5 minutes
Detects and mitigates DDoS attacks in single-digit seconds
Distinguishes flash-crowd traffic from DDoS traffic
You are not charged for requests that are Challenged or Blocked by this rule group during a detected event

Relevant content

AWS WAF Rule Best Practice for Protection Against DDoS Attack
EXPERT
Tirth Parekh
published 7 months ago
AWS WAF Distributed Denial of Service (DDoS) prevention rule group
EXPERT
Amey Dongre
published 10 months ago
Alarming on DDoS Events with the AWS WAF Anti-DDoS Rule Group
EXPERT
Joanna K
published a month ago
How to prevent Ddos attacks from producing costs for small websites
Accepted Answer
mampf
asked 3 years ago
Understanding AWS Shield Advanced Protection for Layer 7 DDoS Attacks
Accepted Answer
ShreyasD
asked 2 years ago
AWS Network Firewall to protect against DDoS layer 7 attacks
rePost-User-2820918
asked 3 years ago
How do I use AWS WAF to mitigate DDoS attacks?
AWS OFFICIALUpdated 10 months ago
How do I protect my web application from web threats with CloudFront and AWS WAF?
AWS OFFICIALUpdated 10 months ago
How do I configure AWS WAF to protect my resources from common attacks?
AWS OFFICIALUpdated 3 months ago
How do I resolve issues with my web ACL in a Firewall Manager AWS WAF policy?
AWS OFFICIALUpdated 3 months ago