How to create customize AWS WAF Rate-based rule for 1min time window?

I am new to AWS WAF, we have use case where we need to block certain amount of IPs within a 1min time window ?

in breif : IP address/addresses block for 10 minutes if we are getting more than 20 Requests per minute. As per the current architecture , none of API GATEWAY/LAMBDA are used. It just a simple system and ALB being attached to the WEB Acl.so is there a way to implement required solution , can someone assist me?

Topics

Security, Identity, & Compliance Networking & Content Delivery AWS Well-Architected Framework

Tags

AWS WAF Elastic Load Balancing Security

Language

English

Mihiruk Rajaguru

asked a year ago831 views

1 Answer

Newest
Most votes
Most comments

Accepted Answer

AWS WAF rate-based rules can only determine access in 5 minutes.
So please consider installing a third party WAF.
https://docs.aws.amazon.com/waf/latest/developerguide/waf-rule-statement-type-rate-based.html

The minimum rate that you can set is 100. AWS WAF checks the rate of requests every 30 seconds, and counts requests for the prior 5 minutes each time. Because of this, it's possible for an IP address to send requests at too high a rate for 30 seconds before AWS WAF detects and blocks it.

EXPERT

Riku_Kobayashi

answered a year ago

Mihiruk Rajaguru
a year ago
Cant we implement a alternative solution , because client strictly asking us to do this (they need this to check every 1min), can you kindly assist please?
Mihiruk Rajaguru
a year ago
Cant we create custom Jason rule for this? any possible solution rather accepting 5min time window solution?
Riku_Kobayashi EXPERT
a year ago
I can't set a one-minute threshold, but what about lowering the threshold with a rate-based rule? For example, if the threshold is set to the lowest value of 100 accesses, the one-minute interval will allow only 20 accesses.
Mihiruk Rajaguru
a year ago
yes that's what we recommended, according to the by default set up, waf checks and calculate the requests for last 5min noh. client wants to calculate last one minute. that's the requirement
Riku_Kobayashi EXPERT
a year ago
It is rare to have a use case where you want to block a certain amount of IP addresses at one-minute intervals...

Relevant content

The proxy IP we operate is registered in AWS WAF's ip reputataion.
AWS-User-6332675
asked 2 years ago
WAF "AWS Managed Rules" for "Windows Operating System" block SNS requests sent by AWS Textract
AWS-User-4293774
asked 2 years ago
How can we block IP in Security Group where we allowed icmp,http,https to all, should not block in vpc also implement role to instance any other solution
Accepted Answer
Arundathi
asked 2 months ago
Block IP addresses in WAF if the client caused an excessive amount of 404 errors
Yarpen
asked 10 months ago
How do I create complex custom AWS WAF JSON rules?
AWS OFFICIALUpdated 2 years ago
How do I allow a legitimate IP address when using the IP reputation list or anonymous IP list in AWS WAF?
AWS OFFICIALUpdated 2 years ago
How do I allow my IP address while blocking other IP addresses using AWS WAF?
AWS OFFICIALUpdated 2 years ago
How can I configure a custom response for AWS WAF managed rules?
AWS OFFICIALUpdated 9 months ago
Migrating Windows workloads to AWS
EXPERT
Gayathri Krishnamoorthy
published a year ago
How can we map entire AWS VPC CIDR to a single IP address using Private NAT Gateway via AWS Site to Site VPN connection.
EXPERT
Narinder Singh Kharbanda
published 9 months ago