How can I use AWS WAF to help prevent brute force login attacks?

Resolution

The following AWS WAF features help prevent brute force login attacks:

• Rate-based rules
• CAPTCHA puzzles
• AWS WAF Fraud Control account takeover prevention (ATP) managed rule group
• Security Automations for AWS WAF

Rate-based rules

To block requests when the request rate is higher than expected, create a rate-based rule statement. To establish the threshold for a rate-based rule, turn on AWS WAF logging. Then, analyze the logs to get the rate of requests. For information about how to create a rate-based rule, see Creating a rule and adding conditions.

You can also create a rate-based rule statement that's specific to a URI path. Brute force attacks typically target login pages to get access to account credentials. Different pages on a website might receive different rates of requests. For example, a home page might receive a higher rate of traffic compared with a login page.

To create a rate-based rule statement that's specific to a login page, use the following rule configuration:

• For Inspect Request, choose URI path.
• For Match type, choose Starts with string.
• For String to match, choose /login.

CAPTCHA puzzles

CAPTCHA puzzles help you prevent brute force attacks from bots, credential stuffing, web scraping, and spam requests to servers. When you create a rule with the CAPTCHA action, users must first complete the CAPTCHA before they log in.

To set up CAPTCHA on your login page, use the following rule configuration:

• For Inspect, choose URI path.
• For Match Type, choose Starts with string.
• For String to match, choose /login.
• For Action, choose CAPTCHA.
• For Immunity time, choose Time in seconds.
  Note: To help prevent brute force attacks from a human, set a low immunity time.

ATP managed rule group

To inspect malicious requests that try to take over your account, use the ATP managed rule group. For example, brute force login attacks can use trial and error to guess credentials to gain unauthorized access to your account.

The ATP managed rule group contains predefined rules that provide visibility and control over unexpected requests and login attempts.

Use the following subset of rules in the ATP managed rule group to inspect requests:

• VolumetricIpHigh: High volumes of requests that individual IP addresses send.
• AttributePasswordTraversal: Attempts that use password traversal.
• AttributeLongSession: Attempts that use long-lasting sessions.
• AttributeUsernameTraversal: Attempts that use username traversal.
• VolumetricSession: High volumes of requests that individual sessions send.
• MissingCredential: Credentials that are missing.

For more information, see Account takeover prevention rules listing.

Security Automations for AWS WAF

To use an AWS CloudFormation template to deploy a web access control list (web ACL) with a set of rules, run Security Automations for AWS WAF.

When an unauthorized user tries to guess the correct credentials, they receive an error response, such as 401 Unauthorised. The Scanners and probes rule blocks requests from an IP address that continuously receives a specific response code. When you activate this rule, Security Automations for AWS WAF deploys an AWS Lambda or Amazon Athena query that checks logs for HTTP response codes. Set a threshold for how many times a request can receive the same error code and how long the rule blocks requests that exceed the threshold.