How do I apply a rate limit on a specific request parameter or URI in AWS WAF?

Last updated: 2022-07-21

How do I apply a rate limit on a specific request parameter or URI in AWS WAF?

Short description

AWS WAF has rate-based rules that track the rate of requests for each originating IP address. The rules initiate the rule action on IPs with rates that go over a specified limit within a five-minute period.

You can use a rate-based rule to put a temporary block on requests from an IP address that's sending excessive requests. By default, AWS WAF aggregates requests based on the IP address from the web request origin. But, you can configure the rule to use an IP address from an HTTP header, such as X-Forwarded-For, instead.

For these rate-based rule statements, you can also define conditions as part of scope-down statements. You can define conditions so that only the requests matching the scope-down statements are considered for evaluation by that rule.

Note: The AWS WAF console doesn't have an option for "scope-down statements" for a rate-based-rule. Select the Only consider requests that match the criteria in a rule statement option to create the equivalent to a scope-down statement.

The following resolution considers two scenarios where you can customize the rate-based rule on a specific parameter.

Resolution

Scenario 1: Add a rate limit to a specific URI

Note: You can specify any request parameter.

  1. Open the AWS WAF console.
  2. Select Web ACLs
  3. Select the web ACL and then select the Rules tab.
  4. Select Add rules.
  5. Select Add my own rules and rule groups.
  6. Select Rule builder for the Rule type.
  7. Enter a Name and select Rate-based rule.
  8. Enter the following parameters for the Request rate details:
    Rate limit: Enter a number between 100 and 20,000,000. This is the maximum number of requests allowed for every IP in a 5-min period.
    IP address to use for rate limiting: If you want to rate limit based on the client IP field, select Source IP address. Or, if you want to rate limit based on the IP address in the header, select IP address in header. For example, X-Forwarder-for.
    Criteria to count request towards rate limit: Select Only consider requests that match the criteria in a rule statement.
  9. In the If a request dropdown list, select matches the statement. If you have multiple conditions to specify, you can change this selection according to your use case.
  10. Complete the following fields in the Statement details section:
    Note: In this example, the rate limit is on the URI path “/admin”. You can change the details based on your use case.
    Inspect: URI path
    Match type: Contains string
    String to match: /admin
    Text transformation: None
  11. In the Action section, select Block.
  12. Select Add rule. Move the rule to the correct priority for your use case, and then select Save.

Scenario 2: Exclude selected internal IPs from rate-limit rules

In this scenario, create an IP set containing all of your internal IPs. Then, exclude this IP set in the scope down statement.

Use the following steps to exclude an IP set from a rate-based-rule:

  1. Open the AWS WAF console.
  2. Select Web ACLs.
  3. Select the web ACL and then select the Rules tab.
  4. Select Add rules.
  5. Select Add my own rules and rule groups.
  6. Select Rule builder for the Rule type.
  7. Enter a Name and select Rate-based rule as the Type.
  8. Enter the following parameters for the Request rate details:
    Rate limit: Enter a number between 100 and 20,000,000. This is the maximum number of requests allowed for every IP in a 5-min period.
    IP address to use for rate limiting: If you want the rate limit based on the client IP field, select Source IP address. Or, if you want the rate limit based on the IP address in the header, select IP address in header. For example, X-Forwarder-for.
    Criteria to count request towards rate limit: Select Only consider requests that match the criteria in a rule statement.
  9. In the If a request dropdown list, select Doesn’t match the statement (NOT).
  10. Complete the following fields in the Statement details section:
    Inspect: Originates from an IP address in.
    IP set: Select the IP set from the dropdown list.
    IP address to use as the originating address: If you want the rate limit based on the client IP field, then select Source IP address . Or, if you want the rate limit based on the IP address in the header, select IP address in header. For example, X-Forwarder-for.
  11. In the Action section, select Block.
  12. Select Add rule. Move the rule to the correct priority for your use case and then select Save.

Did this article help?


Do you need billing or technical support?