- Newest
- Most votes
- Most comments
Usually fake requests are from bots performing reconnaissance on your website. Examples of such request can be /.git/config, /.evn or /wp-login.php.
You may want to deploy IP reputation rule groups Managed Rules, and BLOCK if they match AWSManagedIPReputationList and AWSManagedReconnaissanceList, AWSManagedIPDDoSList rule group.
Some times, the requests are quite numerous and originate from a single source IP. You can create a rate based rule to block them. If you are concerned about false positives, change BLOCK action to CAPTCHA or Challenge.
Hi,
Create a rate-based rule in AWS WAF combined with a match condition that filters requests resulting in a 404 response. When a single IP exceeds the specified request limit (e.g., 100 requests), the rule will automatically block the IP.
- Open the AWS WAF Console.
- Navigate to your Web ACL and click Add Rule.
- Select Rule Builder and then choose Rate-Based Rule.
- Configure the rule:
- Name: RateLimit404s
- Rate Limit: Set to 100 requests per 5 minutes (you can adjust this as needed).
- Scope: IP address.
Add a Match Condition for 404 Responses
- In the Rule Statement, add a condition to match responses with a status code of 404.
- Select Custom Request Handling in the rule.
- Add a Header Check or Response Code Check (e.g., using CloudFront’s logging to identify 404s).
- This ensures that the rule tracks only requests returning 404 responses. Action Set the action to Block for the rate-based rule.
Associate the Rule with the Web ACL
- Attach the newly created RateLimit404s rule to your Web ACL.
- Ensure this rule has the appropriate priority so it is evaluated after any other relevant rules.
Verify and Monitor
- Use the WAF metrics in CloudWatch to monitor blocked IPs.
- Configure a CloudWatch Alarm to notify you of high numbers of blocked requests, if desired.
Hi,
I think that WAF Account Takeover Prevention is probably what you need to solve your issue with 404: see https://docs.aws.amazon.com/waf/latest/developerguide/waf-atp.html
Also, have a look at this managed rule group: https://docs.aws.amazon.com/waf/latest/developerguide/aws-managed-rule-groups-atp.html
You may also be interested in this very detailed re:Invent presentation: https://aws.amazon.com/awstv/watch/d90c64dc94c/
Best,
DIdier
Relevant content
- asked 2 months ago
- asked 8 months ago
@Jahangeer Alam,In WAF there is no option for Add a Match Condition for 404 Responses
This method is only available if you are using AWS WAF with CloudFront
@mofaized-AWS iam using WAF with cloudfront
Apologies, I read that in a hurry and didn't fully digest the question/answer. What's detailed above is not possible currently. If you want to take specific actions based on responses, your best option is to utilise something like the Security Automation architecture for WAF. With that, you can build very specific rules based upon the events you are seeing in your WAF logs: https://aws.amazon.com/solutions/implementations/security-automations-for-aws-waf/