- Newest
- Most votes
- Most comments
For rate-based rules in AWS WAF, both source IP address and IP address in header options are valid configurations that count incoming requests and restrict them when they arrive too quickly . The rate-based rule tracks requests separately for each instance, so if you use the same rule in multiple web ACLs, each represents a distinct instance .
To analyze the rule's effectiveness when set to "count" mode, you can:
- Check the Sampled requests section in the AWS WAF console to validate if specific IP addresses are being tracked
- If WAF full logging is enabled, you can review the logs to verify the counting behavior
The rule will count requests that arrive from specified IP addresses in five-minute intervals . When the number of requests exceeds your configured rate limit, the rule's action will trigger . For validation and analysis purposes, you can either review the sampled requests directly in the console or analyze the full logs if logging is enabled .
Note that AWS WAF will track and manage these requests independently for each instance of your rate-based rule . If the same rate-based rule is used in multiple WebACLs, the system will look at all requests coming to different resources from the same IP address .
Full logging is essential for identifying specific traffic patterns, such as SQLi and Cross-Site Scripting attempts.
With full logging enabled, one may access detailed request data, including:
- Raw HTTP(S) headers
- Information on which rules are triggered
- Patterns which activated SQLi and XSS rule (available in the terminatingRuleMatchDetails field
NOTE: Full logging is enabled for PROD workloads for better visibility and troubleshooting.
Benefits of full logging:
- Verify full rule counting behavior: Check how many requests are being counted by rate-based rules.
- Resolve false positives: Analyse detailed logs.
- Deep dive analysis: Obtain detailed request information to understand specific threats or issues.
Tools to analyse WAF logs:
- Amazon Athena: Query logs stored in Amazon S3.
- Amazon CloudWatch log insights to query logs.
- Splunk, Datadog, Sumo Logic all offer log importation for third party monitoring.
Sources Using forwarded IP addresses in AWS WAF https://docs.aws.amazon.com/waf/latest/developerguide/waf-rule-statement-forwarded-ip-address.html
Logging Web ACL traffic information https://docs.aws.amazon.com/waf/latest/developerguide/classic-logging.html
Monitoring and visibility https://docs.aws.amazon.com/whitepapers/latest/guidelines-for-implementing-aws-waf/monitoring-and-visibility.html
Count referrers, IP addresses, or matched rules https://docs.aws.amazon.com/athena/latest/ug/query-examples-waf-logs-count.html
How do I identify traffic patterns invoked by SQLi and XSS rules in AWS WAF? https://repost.aws/knowledge-center/waf-traffic-pattern-rules
Relevant content
- asked 5 months ago
- asked 10 months ago
- AWS OFFICIALUpdated 7 months ago
- AWS OFFICIALUpdated 9 months ago
- AWS OFFICIALUpdated 7 months ago
- AWS OFFICIALUpdated 9 months ago