WAF IP Set Rule Issue


my rule is as below:

  "Name": "RateLimit",
  "Priority": 4,
  "Statement": {
    "RateBasedStatement": {
      "Limit": 200,
      "AggregateKeyType": "IP"
  "Action": {
    "Count": {}
  "RuleLabels": [
      "Name": "ratelimit:perip"
  "VisibilityConfig": {
    "SampledRequestsEnabled": false,
    "CloudWatchMetricsEnabled": true,
    "MetricName": "RateLimit"

Normally, I can see the matched log in cloudwatch logs.

However, a DDoS attacked to my service from 23 IPs in 30 sec. I can't see any matched log in cloudwatch logs or cloudwatch metrics.

asked 8 months ago197 views
1 Answer

https://docs.aws.amazon.com/waf/latest/developerguide/logging-management.html https://docs.aws.amazon.com/waf/latest/developerguide/ddos-responding.html

according to the above links

AWS WAF Logging Configuration: In the logging configuration for your web ACL, you can customize what AWS WAF sends to the logs. This includes field redaction and log filtering. The logs could be filtered based on the settings that AWS WAF applies during the web request evaluation, such as fully qualified labels and rule action settings. If the log filters do not match the criteria of the DDoS attack, they may not be logged​.

Logging Enabled or Disabled: You can enable and disable logging for a web ACL at any time. It's possible that the logging was disabled during the time of the DDoS attack, which would mean that those events wouldn't be logged. You might want to double-check whether logging was enabled during that time​.

AWS Shield Advanced Response to DDoS Attacks: AWS automatically mitigates network and transport layer (layer 3 and layer 4) Distributed Denial of Service (DDoS) attacks. For application layer (layer 7) DDoS attacks, AWS attempts to detect and notify AWS Shield Advanced customers through CloudWatch alarms. However, it doesn't automatically apply mitigations by default, to avoid inadvertently blocking valid user traffic. This could be a reason why you didn't see logs for the DDoS attack​.

Manually Mitigating Application Layer DDoS Attacks: If you believe that the events page for your resource represents a DDoS attack, you can create your own AWS WAF rules in your web ACL to mitigate the attack. Initially, you configure the rules to count matching requests. After you're comfortable that your new rules are identifying the correct requests, you can modify them to block the requests.

profile picture
answered 8 months ago
    1. I already enabled WAF logging to Amazon CloudWatch Logs.
    2. I already setup WAF Rule to count as my rule.

    The DDoS trigger 9815 access in 30sec from 23 IPs but I didn't any matched logs in cloudwatch logs.

    The rule and logs work fine in other situation but not this time so I want to know the reason.

  • assuming you have validated your ACLs and etc.

    Please check this article again


    your logs should be forwarded to CloudMetrics according to the retention period and metrics you have defined before if the logs do not match the metrics you have defined they cannot be sent to the Cloudwatch

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions