Posted On: Feb 16, 2023

AWS WAF Fraud Control - Account Takeover Protection (ATP) can now inspect origin responses, giving customers additional protection against brute force and credential stuffing attacks on their login pages. Until today, ATP rules were limited to inspecting incoming login requests against a stolen credentials database, analyzing requests seen over time for username and password traversals, and then aggregating this data based on unique identifiers, such as IP address or session ID. With this release, ATP managed rules can now also inspect application response data and block login attempts based on customer-defined login failure conditions. This capability helps to protect against brute force attacks involving non-compromised credentials.

You can specify success or failure conditions based on HTTP status codes, HTTP headers, or the body of responses as well as JSON strings. For example, you can configure ATP to inspect responses that include the HTTP response code 200 (success condition) or 401 (failure condition). You can configure ATP to use these response conditions as additional signals to aggregate the number of failed login attempts per session or per IP address. Once a predefined threshold for failed logins per device is reached, ATP can block subsequent requests as a defense against brute force attacks. We strongly recommend integrating with the application integration SDK for the most effective use of the ATP rule group.

You can configure origin response inspection through the AWS WAF Console, AWS SDKs, and the AWS CLI. This feature is currently available only for CloudFront distributions, but support for protecting regional AWS resources is expected later. While there are no additional fees associated with this feature, standard ATP charges still apply. To get started with ATP, please visit the documentation link here.