How to analyse rate limit on WAF Web ACL for ALB

0

My ALB has WAF integrated

On the WAF I made a rate limiting rule with "Source IP address", first question, does this make sense if it's tied to an ELB? Or should I pick "IP address in header"?

For knowing the rate limit value (testing), I set "count" action for now and saved the rule, but how can I analyse this now? E.g. where is it counted at, I don't see any new graph or new rule in the graphs?

asked a month ago59 views
2 Answers
0
Accepted Answer

For rate-based rules in AWS WAF, both source IP address and IP address in header options are valid configurations that count incoming requests and restrict them when they arrive too quickly . The rate-based rule tracks requests separately for each instance, so if you use the same rule in multiple web ACLs, each represents a distinct instance .

To analyze the rule's effectiveness when set to "count" mode, you can:

  1. Check the Sampled requests section in the AWS WAF console to validate if specific IP addresses are being tracked
  2. If WAF full logging is enabled, you can review the logs to verify the counting behavior

The rule will count requests that arrive from specified IP addresses in five-minute intervals . When the number of requests exceeds your configured rate limit, the rule's action will trigger . For validation and analysis purposes, you can either review the sampled requests directly in the console or analyze the full logs if logging is enabled .

Note that AWS WAF will track and manage these requests independently for each instance of your rate-based rule . If the same rate-based rule is used in multiple WebACLs, the system will look at all requests coming to different resources from the same IP address .

profile pictureAWS
EXPERT
answered a month ago
0

Full logging is essential for identifying specific traffic patterns, such as SQLi and Cross-Site Scripting attempts.

With full logging enabled, one may access detailed request data, including:

  • Raw HTTP(S) headers
  • Information on which rules are triggered
  • Patterns which activated SQLi and XSS rule (available in the terminatingRuleMatchDetails field

NOTE: Full logging is enabled for PROD workloads for better visibility and troubleshooting.

Benefits of full logging:

  • Verify full rule counting behavior: Check how many requests are being counted by rate-based rules.
  • Resolve false positives: Analyse detailed logs.
  • Deep dive analysis: Obtain detailed request information to understand specific threats or issues.

Tools to analyse WAF logs:

  • Amazon Athena: Query logs stored in Amazon S3.
  • Amazon CloudWatch log insights to query logs.
  • Splunk, Datadog, Sumo Logic all offer log importation for third party monitoring.

Sources Using forwarded IP addresses in AWS WAF https://docs.aws.amazon.com/waf/latest/developerguide/waf-rule-statement-forwarded-ip-address.html

Logging Web ACL traffic information https://docs.aws.amazon.com/waf/latest/developerguide/classic-logging.html

Monitoring and visibility https://docs.aws.amazon.com/whitepapers/latest/guidelines-for-implementing-aws-waf/monitoring-and-visibility.html

Count referrers, IP addresses, or matched rules https://docs.aws.amazon.com/athena/latest/ug/query-examples-waf-logs-count.html

How do I identify traffic patterns invoked by SQLi and XSS rules in AWS WAF? https://repost.aws/knowledge-center/waf-traffic-pattern-rules

profile picture
answered a month ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions