Posted On: Aug 28, 2019

You can now configure a lower threshold for rate-based rules you use with AWS WAF, allowing you to mitigate low-volume application threats. The new threshold of 100 requests per 5 minutes (previously 2000 requests per 5 minutes) gives you greater control for stopping slow brute force login attempts, limiting per-user API usage, blocking low-volume denial of service (DoS) attacks, and stopping malicious bots that consume resources and scrape content.

The process for creating rate-based rules is unchanged. When creating a new rule, simply select “rate-based rule” for the rule type and then specify the desired threshold. Using CloudWatch metrics, you can observe the resulting behavior and adjust the threshold, if necessary, in real time. You can also combine conditions so that rate-based rules are triggered only when certain header elements, query strings, URIs, or other request attributes are present. 

This feature is available to use across your WAF WebACLs for Amazon CloudFront, Application Load Balancer or Amazon API Gateway. There is no additional cost for using this feature. For more detail on how rate-based rules work, please refer to AWS WAF documentation.