- Newest
- Most votes
- Most comments
Hello.
I think the threshold of 100 times within 5 minutes is also quite low.
Even if it were possible to lower this even further, I think there is a possibility that normal requests would also be blocked.
For example, I think it would be possible to meet your requirements by creating a Lambda that automatically adds a specific IP address to the block list when it appears multiple times in the AWS WAF logs.
The answers below may be helpful.
https://repost.aws/questions/QU9CfoIJjeQka1XPeRCYeDbg/ban-a-user-after-being-blocked-by-waf-rule#AN9cWF9MQbSa6_FJizICGqRw
You may want to consider evaluating the Bot Control managed rule - there is a feature in Targeted Bot Control which seeks to identify anomalous behavior consistent with distributed, coordinated bot activity. See the launch announcement here. Beyond that, the various other features of Bot Control may help you to mitigate the attack activity through the use of Challenge and Captcha actions.
Alternatively, if you're able to identify characteristics of the attack traffic that distinguish it from good traffic, you could adjust your rate-based rule to use a custom key rather than the Source IP. See the launch announcement for this feature here
Relevant content
- Accepted Answerasked a year ago
- asked a year ago
AWS OFFICIALUpdated 3 years ago- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 9 months ago
- AWS OFFICIALUpdated 2 years ago
Sorry for the type AWS*