AWS WAF rate limit not honored

Question

I configured WAF "rate limit" as 10 and evaluation window as "5 minutes"
"RateBasedStatement": {
            "Limit": 10,
            "AggregateKeyType": "FORWARDED_IP",
            "EvaluationWindowSec": 300,
            "ForwardedIPConfig": {
                "HeaderName": "X-Forwarded-For",
                "FallbackBehavior": "NO_MATCH"
            }
        }
When repeatedly fired requests in a loop, it accepted 159 requests in approximately 1 minute. Then it blocked requests till end of the window.

When i send 1 request every 15seconds, it is blocking at 13th request.

I verified that the IP in  X-Forwarded-for-header during this time is the same.
I am I missing any configuration?

Chrispinus Jacob · Answer

Hello,

You're not missing configuration - there's a common misunderstanding about what the limit means.

AWS WAF rate limits are not instantaneous per request; instead, they are assessed over a sliding window (EvaluationWindowSec). This implies that bursts above the configured Limit can pass at first, but once the threshold is surpassed, blocking takes place. Make sure the X-Forwarded-For header has the correct client IP when using FORWARDED_IP.

**References**

AWS WAF Rate-based rules:

https://docs.aws.amazon.com/waf/latest/developerguide/waf-rule-statement-type-rate-based.html

Forwarded IP configuration:

https://docs.aws.amazon.com/waf/latest/developerguide/waf-rule-statement-type-rate-based.html#forwarded-ip

AWS WAF rate limit not honored

添加回答

相关内容