How can AWS WAF help prevent brute force login attacks?

5 minute read

How can I use AWS WAF to help prevent brute force attacks?

Short description

A brute force attack is a tactic for gaining unauthorized access to accounts, systems, and networks using trial and error to guess login credentials and encryption keys. This attack is called brute force because a hacker uses excessive forceful attempts to gain access to your accounts.

The following AWS WAF features help prevent brute force login attacks:


Rate-based rules

A rate-based rule tracks requests based on the originating IP addresses. The rule invokes if the rate of request exceeds the defined threshold per five-minute interval.

Create a rate-based rule to block requests if the rate of requests is greater than expected. To find the threshold for a rate-based rule, you must turn on AWS WAF logging and analyze the logs get the rate of requests. For information on how to create a rate-based rule, see Creating a rule and adding conditions.

You can also create a rate-based rule specific to a URI path. Brute force attacks generally target the login pages to get access to account credentials. Different pages on a website might receive different rates of requests. For example, a home page might receive a higher rate of traffic compared to login pages.

To create a rate-based rule specific to a login page, use the following rule configuration:

  • For Inspect Request, choose URI path.
  • For Match type, choose Starts with string.
  • For String to match, choose /login.


AWS WAF CAPTCHA challenges verify if requests hitting your website are from a human or a bot. Using CAPTCHA helps prevent brute force attacks, credential stuffing, web scraping, and spam requests to servers.

If webpages are designed to receive requests from humans but are susceptible to brute force attacks, then create a rule with a CAPTCHA action. CAPTCHA action requests allow access to a server when the CAPTCHA challenge is successfully completed.

To set up a CAPTCHA action on your login page, use the following rule configuration:

  • For Inspect choose URI path.
  • For Match Type choose Starts with string.
  • For String to match choose /login.
  • For Action choose CAPTCHA.
  • For Immunity time choose Time in seconds.

If a CAPTCHA action is configured, users accessing your login page must complete the CAPTCHA before they can enter their login information. This protection helps prevent brute force attacks from bots.

Note: To help prevent brute force attacks from a human, set a low immunity time. A low immunity time slows the attack as the attacker must complete the CAPTCHA for each request. For more information, see Configuring the CAPTCHA immunity time.

For more information on AWS WAF CAPTCHA, see AWS WAF CAPTCHA.

ATP Managed Rule Group

The AWS WAF account takeover prevention (ATP) managed rule group inspects malicious requests that attempt to take over your account. For example, brute force login attacks that use trial and error to guess credentials and gain unauthorized access to your account.

The ATP rule group is an AWS managed rule group that contains predefined rules that provide visibility and control over requests performing anomalous login attempts.

Use the following subset of rules in the ATP rule group to help block brute force attacks:

Inspects for high volumes of requests sent from individual IP addresses.

Inspects for attempts that use password traversal.

AttributeLongSessionInspects for attempts that use long lasting sessions.

AttributeUsernameTraversalInspects for attempts that use username traversal.

Inspects for high volumes of requests sent from individual sessions.

Inspects for missing credentials.

For more information on how to set up an ATP rule-group, see AWS WAF Fraud Control account takeover prevention (ATP).

AWS WAF Automation on AWS

AWS WAF Security Automation is an AWS CloudFormation template used to deploy a web ACL with a set of rules. You can activate these rules based on your use case. When a hacker attempts to guess the correct credentials as part of brute force attack, they receive an error code for each incorrect login attempt. For example, an error code might be a 401 Unauthorized response.

The Scanners and probes rule can block requests sourcing from an IP that is continuously receiving a specific response code. Activating this rule deploys an AWS Lambda function or an Amazon Athena query that automatically parses Amazon CloudFront, or Application Load Balancer (ALB), access logs to check the HTTP response code from your backend server. If the number of requests receiving the error code reaches a defined threshold, then the rule blocks these requests for a custom period of time that you can configure.

For more information on this template and how to deploy it, see Automatically deploy a single web access control list that filters web-based attacks with AWS WAF Automation on AWS.

AWS OFFICIALUpdated 2 years ago