Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

How to create customize AWS WAF Rate-based rule for 1min time window?

0

I am new to AWS WAF, we have use case where we need to block certain amount of IPs within a 1min time window ?

in breif : IP address/addresses block for 10 minutes if we are getting more than 20 Requests per minute. As per the current architecture , none of API GATEWAY/LAMBDA are used. It just a simple system and ALB being attached to the WEB Acl.so is there a way to implement required solution , can someone assist me?

Topics
Networking & Content DeliverySecurity, Identity, & ComplianceAWS Well-Architected Framework
Tags
Elastic Load BalancingAWS WAFSecurity
Language
English
asked 3 years ago1.9K views
2 Answers
1
Accepted Answer

AWS WAF rate-based rules can only determine access in 5 minutes.
So please consider installing a third party WAF.
https://docs.aws.amazon.com/waf/latest/developerguide/waf-rule-statement-type-rate-based.html

The minimum rate that you can set is 100. AWS WAF checks the rate of requests every 30 seconds, and counts requests for the prior 5 minutes each time. Because of this, it's possible for an IP address to send requests at too high a rate for 30 seconds before AWS WAF detects and blocks it.

EXPERT
answered 3 years ago
  • Mihiruk Rajaguru
    3 years ago

    Cant we implement a alternative solution , because client strictly asking us to do this (they need this to check every 1min), can you kindly assist please?

  • Mihiruk Rajaguru
    3 years ago

    Cant we create custom Jason rule for this? any possible solution rather accepting 5min time window solution?

  • Riku_Kobayashi EXPERT
    3 years ago

    I can't set a one-minute threshold, but what about lowering the threshold with a rate-based rule? For example, if the threshold is set to the lowest value of 100 accesses, the one-minute interval will allow only 20 accesses.

  • Mihiruk Rajaguru
    3 years ago

    yes that's what we recommended, according to the by default set up, waf checks and calculate the requests for last 5min noh. client wants to calculate last one minute. that's the requirement

  • Riku_Kobayashi EXPERT
    3 years ago

    It is rare to have a use case where you want to block a certain amount of IP addresses at one-minute intervals...

1

This accepted answer is no longer correct - both 'evaluation window' and 'limits' are now able to be more granular as per documentation:

Evaluation window – The amount of time, in seconds, that AWS WAF should include in its request counts, looking back from the current time. For example, for a setting of 120, when AWS WAF checks the rate, it counts the requests for the 2 minutes immediately preceding the current time. Valid settings are 60 (1 minute), 120 (2 minutes), 300 (5 minutes), and 600 (10 minutes), and 300 (5 minutes) is the default.

This setting doesn't determine how often AWS WAF checks the rate, but how far back it looks each time it checks. AWS WAF checks the rate frequently, with timing that's independent of the evaluation window setting.

Rate limit – The maximum number of requests matching your criteria that AWS WAF should just track for the specified evaluation window. The lowest limit setting allowed is 10. When this limit is breached, AWS WAF applies the rule action setting to additional requests matching your criteria.

This means that the lowest limit you can now set is 10 requests within a 600s evaluation window.

AWS
EXPERT
answered 10 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Relevant content