AWS WAF Rule Best Practice for Protection Against DDoS Attack

A Distributed Denial of Service (DDoS) attack is a malicious attempt to disrupt the normal traffic of a targeted server, service, or network by overwhelming it with a flood of internet traffic from multiple sources. With AWS WAF, You can use below custom & managed rule to provide protection against DDoS attack.

IP Set Rule

Create IP set rule which inspects the IP address of a web request against a set of IP address and address ranges.

Use case 1 : List of known malicious IP address based on historical information and previous attacks. Create a rule with "Block" action.

Use case 2 : List of known trusted (Corporate IPs, Remote office IPs etc.) IP addresses. Create a rule with "Allow" action. Please note “Allow” action is terminating rule action. WAF will not evaluate request against the other WAF rules which are present in higher numeric priority so continuously re-visit to make sure only trusted IP address are added with “Allow” Rule action.

Geographic match rule statement

Create geographic rule to manage web requests based on country and region of origin.

Use case 1 : Create a rule to block traffic from specific countries from where you’re not expecting any traffic. AWS WAF’s traffic overview tab “Top Insights” can be useful tool to identify top countries from where traffic is received.

Use case 2 : Create a rule to Block traffic with “NEGATE” Option. For example, If you're expecting traffic only from US, Canada, and Australia. You can create geo-fence rule to block traffic from US, Canada & Australia with "NEGATE" statement. See below configuration in the screenshot. This rule will block any traffic coming outside of US, Canada & Australia.

Use case 3 : Block traffic from certain country but create IP set "Negate" statement to allow specific IPs from blocked countries. This use case would allow specific trusted IPs (Corporate, office IPs) while blocking remaining traffic from the country.

Use case 4 : Create a Rule to allow traffic from specific country except specific region (Example : Allow Traffic from US but block from specific region of TX, CA etc.).

Rate based Rule

Create Rate based rule to provide protection when a specific IP address is sending too much traffic in a short amount of time.

Use case 1 : Blanket rate based rule for application/endpoint.

Use case 2 : Stricter rate based rule for sensitive (login, signup page, Specific URI etc) part of your application. See below example of login page stricter rate based rule configuration.

Block action is optimal when prioritizing immediate protection against high-volume attacks and minimizing resource consumption, while CAPTCHA action is optimal when balancing protection with accessibility for legitimate users during traffic spikes, allowing humans to regain access by solving puzzles.

Refer to three most important AWS WAF rate-based rules and guidance to identify appropriate rate limit based on the traffic pattern from WAF logs.

IP Reputation Managed rule group

AmazonIpReputationList Managed Rule Group : The Amazon IP reputation list rule group contains rules that are based on Amazon internal threat intelligence. Please note “AWSManagedIPDDoSList" rule which Inspects for IP addresses that have been identified as actively engaging in DDoS activities is by default in ”Count“ Action. If you want to be more sensitive to DDoS attack, You can change this rule to ”Block“ Action and analyze WAF logs for false positive or ”Challenge“ action.

AnonymousIpList Managed Rule Group : The Anonymous IP list rule group Inspects for a list of IP addresses of sources known to anonymize client information (TOR nodes, temporary proxies, and other masking services) and list of IP addresses from web hosting and cloud providers.

AWS Core Rule Set Managed rule group

Core Rule Set provides protection against exploitation of a wide range of vulnerabilities, including some of the high risk and commonly occurring vulnerabilities described in OWASP publications such as OWASP Top 10. Consider using this rule group for any AWS WAF use case.

Layer 7 Anti DDos Rule (AWSManagedRulesAntiDDoSRuleSet - Paid Rule)

AntiDDoS AMR is an AWS Managed Rules feature implemented through AWS WAF that automatically detects and mitigates HTTP request flood attacks at the application layer (Layer 7). It quickly profiles traffic patterns to identify anomalous attack patterns, and operates rapidly to mitigate new and changing attacks within seconds, all while ensuring customers aren't charged for attack traffic detected and mitigated by the system. For maximum effectiveness, place the AWS-AWSManagedRulesAntiDDoSRuleSet AMR at the highest priority in your web ACL or immediately after any custom Allow rules to ensure it inspects as much traffic as possible.

Key Points :

• Faster Traffic Baseline (~15 Minutes) & detection (in seconds)
• Faster mitigation (immediate)
• Better efficiency
• More visibility into rules and actions
• More granular control over sensitivity and actions

ASN Match Rule Statement

ASN match rule inspects traffic based on Autonomous System Numbers—unique identifiers for large internet networks like ISPs or enterprises. This approach allows blocking or allowing traffic from entire network organizations without managing individual IPs, offering more stability since ASNs change less frequently than IP ranges. It's effective for blocking problematic networks or permitting only trusted partners, and works with various setups including CDNs and proxies through its forwarded IP configuration. It can be configured to use IPs from headers like X-Forwarded-For by enabling forwarded IP configuration in rule settings.

Important Notes

• Allow & Block action is terminating rule type. If you’ve any WAF rule with “Allow” Action in lower priority (evaluates the rules from the lowest numeric priority), WAF will not evaluate particular traffic against other rules in higher priority which might have deemed the traffic as malicious.
• For cost optimization, It is best practice to have less expensive/free WAF rules at lowest numeric priority. This will ensure majority of malicious traffic is getting blocked before it reaches to higher priority paid/expensive rules .
• It's best practice to always test any new rules in testing/staging environment to see it's effect on application & monitor any false positive before deployment in production.

Additional Documents

Resiliency Best Practices : https://docs.aws.amazon.com/pdfs/whitepapers/latest/aws-best-practices-ddos-resiliency/aws-best-practices-ddos-resiliency.pdf

Best practices for using automatic application layer DDoS mitigation : https://docs.aws.amazon.com/waf/latest/developerguide/ddos-automatic-app-layer-response-bp.html

AWS Shield Advanced Application Layer DDoS mitigation : https://aws.amazon.com/blogs/aws/aws-shield-advanced-update-automatic-application-layer-ddos-mitigation/

AWS WAF Pricing : https://aws.amazon.com/waf/pricing/