Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

AWS WAF rate limit not honored

0

I configured WAF "rate limit" as 10 and evaluation window as "5 minutes" "RateBasedStatement": { "Limit": 10, "AggregateKeyType": "FORWARDED_IP", "EvaluationWindowSec": 300, "ForwardedIPConfig": { "HeaderName": "X-Forwarded-For", "FallbackBehavior": "NO_MATCH" } } When repeatedly fired requests in a loop, it accepted 159 requests in approximately 1 minute. Then it blocked requests till end of the window.

When i send 1 request every 15seconds, it is blocking at 13th request.

I verified that the IP in X-Forwarded-for-header during this time is the same. I am I missing any configuration?

Topics
Security, Identity, & Compliance
Tags
AWS WAF
Language
English
asked 3 months ago31 views
1 Answer
0

Hello,

You're not missing configuration - there's a common misunderstanding about what the limit means.

AWS WAF rate limits are not instantaneous per request; instead, they are assessed over a sliding window (EvaluationWindowSec). This implies that bursts above the configured Limit can pass at first, but once the threshold is surpassed, blocking takes place. Make sure the X-Forwarded-For header has the correct client IP when using FORWARDED_IP.

References

AWS WAF Rate-based rules:

https://docs.aws.amazon.com/waf/latest/developerguide/waf-rule-statement-type-rate-based.html

Forwarded IP configuration:

https://docs.aws.amazon.com/waf/latest/developerguide/waf-rule-statement-type-rate-based.html#forwarded-ip

answered 2 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Relevant content