How do I configure AWS WAF to protect my resources from common attacks?

Last updated: 2020-11-27

How do I configure AWS WAF to protect my resources from common attacks?

Resolution

Migrate from AWS WAF Classic to AWS WAF (if applicable)

If you're using AWS WAF Classic, it's recommended that you migrate to AWS WAF. To make this migration, you can leverage the automated migration tool. For more information, see Why migrate to AWS WAF?

Run penetration testing against your application to identify vulnerabilities

Every application receives its own type of requests. As a result, the firewall rules that protect your application must be customized.

Run penetration testing against your application to understand its specific vulnerabilities. For more information, see:

Review incoming requests to optimize your custom rules

Before creating custom rules to protect your application, review the incoming requests in your environment.

First, generate logs using:

  • AWS WAF
  • Amazon CloudFront
  • Application Load Balancer
  • Amazon API Gateway

Then, store these logs on Amazon Simple Storage Service (Amazon S3). Finally, use Amazon Athena to query the logs and identify patterns. For example, you might see patterns like:

  • Requests made to your environment for URIs that don't exist
    • To recognize this pattern, you must know every supported URI
    • Example Athena query performed on AWS WAF logs to count requests for each URI:
SELECT count("httprequest"."uri") as URIcount, "httprequest"."uri"
FROM waf_logs
GROUP BY "httprequest"."uri"
ORDER BY URIcount DESC
  • Requests that contain an HTTP Host header that's unsupported by your webserver -OR- requests that contain an IP address instead of your website's domain name
    • Example Athena query performed on AWS WAF logs to count requests with different Host header values:
SELECT header.value as HostHeader, count(header) as count
FROM waf_logs, UNNEST(httprequest.headers) AS x(header)
WHERE "header"."name" = 'Host'
GROUP BY  header
ORDER BY count DESC

After identifying a pattern, you can create AWS WAF rules in COUNT mode to verify that the rule is configured to match those requests. Then, move the rule to BLOCK mode.

For example, if your application only supports Host header "www.example.com":

  • Create a NOT match on the HOST header with value "www.example.com"
  • Set the action to BLOCK

Any requests to your environment that don't have a Host header of "www.example.com" are now blocked. 
Note: This rule also blocks requests to the AWS-provided fully qualified domain name (FQDN).

Use AWS Managed Rules to protect against common attacks

Use AWS Managed Rules to prevent common attacks that apply to most applications, including requests that:

  • Don't contain a User-Agent
  • Represent bot requests
  • Use “localhost” as the HTTP Host header
  • Use the PROPFIND HTTP method

Include these baseline rule groups in your web access control list (web ACL) in COUNT mode. Be sure to choose “Enable Count mode” in the rule group. Then, review the AWS WAF logs and CloudWatch metrics to determine whether the managed rule matches any legitimate traffic. If it doesn't, move the rule group to BLOCK by disabling “Enable Count mode”. To disable a specific rule in the AWS Managed Rule Group, choose “Override rules action” for that rule.

Note: Rules in the AWS Managed Rules might get triggered by legitimate requests to your environment. For more information, see How can I detect false positives caused by AWS Managed Rules and add them to a safe list?

Important: AWS Managed Rules are designed to protect you from common web threats. When used in accordance with the documentation, AWS Managed Rules rule groups add another layer of security for your applications. However, AWS Managed Rules rule groups aren't intended as a replacement for your security responsibilities, which are determined by the AWS resources that you select. See the Shared responsibility model to be sure that your resources in AWS are properly protected.

Baseline your AWS WAF using the rate of legitimate requests

Perform an analysis of your traffic to identify the number of requests made by legitimate client IP addresses using Amazon Athena or Amazon Quicksight on the AWS WAF logs. Using the information you get from this analysis, baseline your AWS WAF to the rate of requests made by a legitimate client. Then, set up a threshold while configuring the AWS WAF rate-based rule.

Sample Athena query performed on AWS WAF logs to count the number of requests from a single IP address (x.x.x.x) between a given timeframe (Nov 16th 2020 9AM-10AM):

SELECT  "httprequest"."clientip", "count"(*) "count", "httprequest"."country"
FROM waf_logs
WHERE httprequest.clientip LIKE 'x.x.x.x' and date_format(from_unixtime("timestamp"/1000), '%Y-%m-%d %h:%i:%s') between '2020-11-16 09:00:00' and '2020-11-16 10:00:00'
GROUP BY "httprequest"."clientip", "httprequest"."country"

Sample Athena query performed on AWS WAF logs to count the number of requests from all IP addresses between the same time frame:

SELECT "httprequest"."clientip", "count"(*) "count", "httprequest"."country"
FROM waf_logs
WHERE date_format(from_unixtime("timestamp"/1000), '%Y-%m-%d %h:%i:%s') between '2020-11-16 09:00:00' and '2020-11-16 10:00:00'
GROUP BY "httprequest"."clientip", "httprequest"."country"
ORDER BY "count" DESC

Use the AWS WAF Security Automations template to prevent common attacks

Use the AWS WAF Security Automations template to provide additional protection from common attacks. For example, you can enable protection against:

  • Scanners and probes
  • Bad bots
  • Bad IP addresses

Note: This solution uses other AWS services that incur costs.

Protect against SQL injection and cross-site scripting

To protect your applications against SQL injection and cross-site scripting (XSS) attacks, use the built-in SQL injection and cross-site scripting engines. Remember that attacks can be performed on different parts of the HTTP request, such as the HTTP header, query string, or URI. Configure the AWS WAF rules to inspect different parts of the HTTP request against the built-in mitigation engines.

Note: Rules in the mitigation engines might get triggered by legitimate requests to your environment. For more information, see How can I detect false positives caused by AWS Managed Rules and add them to a safe list?

Restrict access from CloudFront (if you're using AWS WAF on CloudFront)

Protect against DDoS attacks

For more information on protection from distributed denial-of-service (DDoS) attacks, see AWS best practices for DDoS resiliency and AWS Shield features.


Did this article help?


Do you need billing or technical support?