AWS re:Postを使用することにより、以下に同意したことになります AWS re:Post 利用規約
AWS re:Postre:Post

WAF IP Set Rule Issue

0

my rule is as below:

{
  "Name": "RateLimit",
  "Priority": 4,
  "Statement": {
    "RateBasedStatement": {
      "Limit": 200,
      "AggregateKeyType": "IP"
    }
  },
  "Action": {
    "Count": {}
  },
  "RuleLabels": [
    {
      "Name": "ratelimit:perip"
    }
  ],
  "VisibilityConfig": {
    "SampledRequestsEnabled": false,
    "CloudWatchMetricsEnabled": true,
    "MetricName": "RateLimit"
  }
}

Normally, I can see the matched log in cloudwatch logs.

However, a DDoS attacked to my service from 23 IPs in 30 sec. I can't see any matched log in cloudwatch logs or cloudwatch metrics.

トピック
セキュリティ、アイデンティティ、コンプライアンス
タグ
AWS WAF
言語
English
Linda
質問済み 1年前260ビュー
1回答
0

https://docs.aws.amazon.com/waf/latest/developerguide/logging-management.html https://docs.aws.amazon.com/waf/latest/developerguide/ddos-responding.html

according to the above links

AWS WAF Logging Configuration: In the logging configuration for your web ACL, you can customize what AWS WAF sends to the logs. This includes field redaction and log filtering. The logs could be filtered based on the settings that AWS WAF applies during the web request evaluation, such as fully qualified labels and rule action settings. If the log filters do not match the criteria of the DDoS attack, they may not be logged​.

Logging Enabled or Disabled: You can enable and disable logging for a web ACL at any time. It's possible that the logging was disabled during the time of the DDoS attack, which would mean that those events wouldn't be logged. You might want to double-check whether logging was enabled during that time​.

AWS Shield Advanced Response to DDoS Attacks: AWS automatically mitigates network and transport layer (layer 3 and layer 4) Distributed Denial of Service (DDoS) attacks. For application layer (layer 7) DDoS attacks, AWS attempts to detect and notify AWS Shield Advanced customers through CloudWatch alarms. However, it doesn't automatically apply mitigations by default, to avoid inadvertently blocking valid user traffic. This could be a reason why you didn't see logs for the DDoS attack​.

Manually Mitigating Application Layer DDoS Attacks: If you believe that the events page for your resource represents a DDoS attack, you can create your own AWS WAF rules in your web ACL to mitigate the attack. Initially, you configure the rules to count matching requests. After you're comfortable that your new rules are identifying the correct requests, you can modify them to block the requests.

profile picture
エキスパート
Sedat Salman
回答済み 1年前
  • Linda
    10ヶ月前
    1. I already enabled WAF logging to Amazon CloudWatch Logs.
    2. I already setup WAF Rule to count as my rule.

    The DDoS trigger 9815 access in 30sec from 23 IPs but I didn't any matched logs in cloudwatch logs.

    The rule and logs work fine in other situation but not this time so I want to know the reason.

  • Sedat Salman エキスパート
    10ヶ月前

    assuming you have validated your ACLs and etc.

    Please check this article again

    https://aws.amazon.com/blogs/mt/analyzing-aws-waf-logs-in-amazon-cloudwatch-logs/

    your logs should be forwarded to CloudMetrics according to the retention period and metrics you have defined before if the logs do not match the metrics you have defined they cannot be sent to the Cloudwatch

ログインしていません。 ログイン 回答を投稿する。

優れた回答とは、質問に明確に答え、建設的なフィードバックを提供し、質問者の専門分野におけるスキルの向上を促すものです。

質問に答えるためのガイドライン

関連するコンテンツ