Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

Automatically block IP range in AWS WAF

0

Good day

I have an application being served on EC2 as origin and fronted with Cloudfront + WAF which works well. Currently however, there are abnormal volume of traffic accessing the app causing the origin to overload. Upon inspection using Cloudwatch Insight, here's the list of IP's that keeps making request to the server. Multiple IP Addresses Making Request to The Application

700 requests from one IP is not detrimental to the server. The problem is there are many IPs that were making this amount of requests that causes the server to be on high load. Each of these IPs are making one request per uri as show in the image belowURI Covered

I have made blanket rate-based rule to block IPs which exceed the rate threshold but this seem to only work if there is one IP that were making large amount of requests and URI based rule seems to be ineffective in this situation as only one request are made at a time on each URI's. Currently, I've temporarily blocked the IP range 47.82.. and the server stops throttling but this is not sustainable in a long run as the possible attack can come in different IP addresses. How can I mitigate this issue with little manual intervention and perhaps automate this? Note: The logs were taken within 1 hour time range P/S: The site needs to be globally accessible and can be accessed by anyone.

Topics
ComputeSecurity, Identity, & ComplianceNetworking & Content Delivery
Tags
Amazon CloudFrontAmazon EC2AWS WAF
Language
English
asked a year ago594 views
2 Answers
0

I noticed the country code of "SG," or Singapore (from what I looked up).

Have you considered using Geo-IP block on either CloudFront or WAF? https://docs.aws.amazon.com/waf/latest/developerguide/waf-rule-statement-type-geo-match.html (WAF) https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/georestrictions.html (CF)

This may be a better way to limit | block an IP by zooming out to the country code? I didn't read in your post that any customers are needed from "SG."

You can also block an IP using an NACL, on the subnet which the EC2 lives in.

Let me know if this helps or not, thanks!

AWS
answered a year ago
  • Ameer
    a year ago

    The site needs to be globally accessible including SG, updated the question to include this detail. From the picture above, the requests are coming from 47.82.*.*. can we automate the blocking if such IP pattern is making excessive requests? because it coming from multiple IP addresses but have similar pattern.

0

Hi,

You may be interested in this article on how to use WAF to mitigate DDoS attacks: https://repost.aws/knowledge-center/waf-mitigate-ddos-attacks.

You may also want to read this detailed article: https://aws.amazon.com/developer/application-security-performance/articles/ddos-protection/

Best

Didier

EXPERT
answered a year ago
AWS
EXPERT
reviewed a year ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Relevant content