By using AWS re:Post, you agree to the AWS re:Post Terms of Use

My service is being hit by hundreds of request to an invalid endpoint

0

For the course of the past few hours, my service is being hit by hundreds of request to an endpoint that doesn't exists on my API. I'm already using WAF but looks like it is not picking up this situation.

Following one of my logs:

{
        "path": "HEAD /services/payway/planselector",
        "ip": "18.222.64.41",
        "headers": {
            "x-forwarded-for": "18.222.64.41",
            "x-forwarded-proto": "http",
            "x-forwarded-port": "80",
            "host": "aws-us-east-2-mexico-cvideo-mfw-ott-berc.kb-mexico-aws-us-east-2.pool.clarovideo.net",
            "x-amzn-trace-id": "Root=1-6683fa73-17f0cf113e134a2260ef9327",
            "traceparent": "00-bb08e113c27918aef524b9e1cd194947-096bb97b2d1451e9-01",
            "tracestate": "675452@nr=0-0-2283511....",
            "newrelic": "eyJ2IjpbM...",
            "user-agent": "Tornado/6.3.3",
            "accept-encoding": "gzip"
        },
        "body": {}
    }

Also, looks like it is targeting an host host that I'm not hosting.

I have got an 94% increase in requests on past 3 hours

How can I mitigate this?

Thank you.

2 Answers
3
Accepted Answer

Hello.

How about blocking access to "/services/payway/planselector" using AWS WAF rules?
It is possible to create a custom rule to inspect URL paths and block all rules that do not match.
https://docs.aws.amazon.com/waf/latest/developerguide/waf-rule-statement-fields-list.html#waf-rule-statement-request-component-uri-path

Also, although it costs a fee, AWS Shield Advanced can be used as a countermeasure against DDoS attacks.
https://docs.aws.amazon.com/waf/latest/developerguide/shield-chapter.html

profile picture
EXPERT
answered 5 months ago
profile picture
EXPERT
reviewed 5 months ago
profile pictureAWS
EXPERT
reviewed 5 months ago
  • Using the WAF rule did the job. Thank you. Looks like the requests is coming from AWS network, and targeting this host aws-us-east-2-mexico-cvideo-mfw-ott-berc.kb-mexico-aws-us-east-2.pool.clarovideo.net. Should I report this incident to AWS support team? What you think

  • I looked into the domain "clarovideo.net", but I think it's probably not the domain used by AWS. I thought it was another domain pretending to be from AWS. You may want to report this to AWS Support as it may be an attack. https://webwhois.verisign.com/webwhois-ui/index.jsp?language=#

0

You said you have enabled WAF on your API Gateway endpoint. Have you added some rules to it? Try adding some AWS Managed rules that are free of cost (compared to vendor-managed ones). There are AWS Managed rules that covers the OWASP Top 10 risks. However, you still have to add your custom rules, like filtering on domain origins (RegEx) , source IP Addresses (using IP Sets), etc, to harden your firewall further. Check this reference In https://docs.aws.amazon.com/waf/latest/developerguide/aws-managed-rule-groups-list.html.

answered 5 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions