How do I mitigate DDoS attacks using AWS WAF?

Last updated: 2022-07-27

How can I use AWS WAF to help prevent Distributed Denial of Service (DDoS) attacks?

Short description

DDoS attacks are attempts by an attacker to disrupt the availability of targeted systems.

For infrastructure layer attacks, you can use AWS services such as Amazon CloudFront and Elastic Load Balancing (ELB) to provide automatic DDoS protection. For more information, see AWS best practices for DDoS resiliency.

For application layer attacks, you can use AWS WAF as the primary mitigation. AWS WAF web access control lists (web ACLs) minimize the effects of a DDoS attack at the application layer do the following:

  • Use rate-based rules.
  • Review existing rate-based rules and consider lowering the rate limit threshold to block bad requests.
  • Query the AWS WAF logs to gather specific information of unauthorized activity.
  • Create a geographic match rule to block bad requests originating from a country that isn't expected for your business.
  • Create an IP set match rule to block bad requests based on IP addresses.
  • Create a regex match rule to block bad requests.

Resolution

Use rate-based rules

You can create blanket or a URI-specific rate-based rules to protect your web application against DDoS attacks. For more information, see The three most important AWS WAF rate-based rules.

Create a blanket rate-based rule from the AWS WAF console

A blanket rate-based rule allows you to set a threshold for the number of requests IPs can make to your web application.

  1. Open the AWS WAF console.
  2. Select the Web ACL that doesn't have an RBR defined, then select Rate-based rule.
  3. Enter a Name for your rule.
  4. Enter a Rate limit. The rate limit is the maximum number of requests allowed in any five-minute period from any single IP address. After this limit is reached, the rate-based rule action is applied to the IP address. When the requests from the IP address fall below the limit, the action is discontinued.
    Note: The rate limit threshold is a representation of how many requests from a single IP address are considered too much and potentially malicious. Otherwise you might block good requests. If you're not sure what limit to set, it's a best practice to set the rule action to count and monitor your request pattern.
  5. For IP address to use for rate limiting, select Source IP address or IP address in header.

    IP address in header: When a request comes through a CDN or other proxy network, the source IP address identifies the proxy and the original IP address is sent in a header. Use caution when using the IP address in header option because headers might be handled inconsistently by proxies. And, headers can be modified to bypass inspection.

    Source IP address: For Criteria to count request towards rate limit, choose count requests that match the criteria of a rule statement.
  6. Set the rule action to count or block requests from IP addresses while their request counts are over the limit. The application and removal of the rule action might take effect a minute or two after the IP address request rate change.
  7. Select Add Rule.
  8. Select Next.

For information on creating a rate-based rule statement, see Rate based rule statement.

Create a URI-specific rate-based rule from the AWS WAF console

  1. Open the AWS WAF console.
  2. Select the web ACL that doesn't have a rate-based rule defined, then select Rate-based rule.
  3. Enter a Name for your rule.
  4. Enter a Rate limit.
  5. For IP address to use for rate limiting, select Source IP address or IP address in header.
  6. For Criteria to count request towards rate limit, choose Only consider requests that match the criteria in a rule statement.
  7. Create the Statement with the following variables:
    For Inspect, select URI path.
    For Match type, select Exactly matches string.
    For String to match, enter /login. You can select the URI that is specific to your application.
    For Text transformation, leave it as None.
  8. Set the rule action to count or block requests from IP addresses while their request counts are over the limit.
  9. Choose Add Rule.
  10. Choose Next.

Review existing rate-based rules and consider lowering the rate limit threshold to block bad requests

To modify an existing rate-based rule in the console:

  1. Open the AWS WAF console.
  2. Select the Web ACL and select the existing rate-based rule.
  3. Lower the Rate limit threshold as needed.
  4. Set the Rule action to Block.
  5. Choose Save rule.
  6. Choose Next.

For more information, see Rate-based rule statement.

Consider narrowing the scope of requests that are tracked and counted by your rate-based rule

To narrow the scope of requests that AWS WAF tracks and counts, use a scope-down statement inside the rate-based statement. Then, AWS WAF counts requests that match the scope-down statement.

Example

Based on recent requests from an attacker in the United States, you create a rate-based rule with the following scope-down statement:

  1. A geo-match match statement that specifies requests originating in the United States.
  2. A string match statement that searches in the User-Agent header for the string Badbot.

Assume that you set a rate limit of 1,000. For each IP address, AWS WAF counts requests that meet the criteria for both of the nested statements. Requests that don't meet both statements aren't counted. If the count for an IP address exceeds 1,000 requests in any 5-minute time span, the rule's action triggers against that IP address.

To add a scope-down statement using this example to your rate-based rule in the console, do the following:

  1. Open the AWS WAF console.
  2. Select the Web ACL and select the existing Rate-based rule.
  3. For Criteria to count requests towards rate limit, choose only requests that match the criteria in rule statement
  4. Count only the requests that match the following statement:
    If a request matches all of the statements (AND)
    Statement 1
    Inspect: Select Originates from a country in.
    Country Codes: Select United States-US.
    IP address to use for rate limiting: Select either Source IP address or IP address in header.

    -and-

    Statement 2
    Inspect: Select Single Header.
    Header field name: Enter User-Agent.
    Match type: Select Exactly matches string.
    String to match: Enter Badbot.
  5. Choose Save Rule.
  6. Choose Next.

Query the AWS WAF logs to gather specific information of unauthorized activity

If you haven't done so already, make sure that you turn on AWS WAF logging.

After you turn on logging for your web ACL to analyze traffic, query the AWS WAF logs to investigate DDoS scenarios. You can query AWS WAF logs using the following:

Using the Amazon Athena log parser or AWS Lambda log parser

Rate-based rules allow you to specify the maximum number of web requests to allow from any single IP address in a trailing, continuously updated five-minute period. If an IP address breaches the configured limit, new requests are blocked until the request rate falls below the configured threshold. The minimum acceptable rate limit value for rate-based rules is 100.

In scenarios where rate-based rules can't be used due to the minimum threshold allowed, consider using the Athena log parser or Lambda log parser implementation available in AWS WAF Automation. With rate-based rules, the default block period is 240 seconds. Both the Athena and the Lambda log parser allow you to select the period (in minutes) to block applicable IP addresses.

The Athena and Lambda log parser implementations have the following parameters:

  • Request threshold: The maximum acceptable requests per five minutes per IP address.
  • Block period: The period (in minutes) to block applicable IP addresses.

Both of these solutions allow you to define parameters when provisioning or updating AWS CloudFormation stacks.

Use the Lambda log parser when rate-based rules or the Athena log parser aren't available. For more information, see AWS Lambda log parser.

Be aware of increased costs when using the Athena Log parser. You are charged for Athena usage when using this option for HTTP flood protection. By default, each Athena query runs every five minutes and scans the past four hours of data. Partitioning is applied to logs and Athena queries to keep costs low. You can configure the number of hours of data that a query scans by changing the value for the WAF Block Period template parameter. However, increasing the amount of data scanned will likely increase Athena cost.

For more information, see Cost estimate of Amazon Athena.

Create a geographic match rule to block bad requests originating from a country that isn't expected for your business

Create one or more geographic match rule statement to allow or block web requests based on country of origin.

To create a geographic match rule in the AWS WAF console:

  1. Open the AWS WAF console.
  2. Select the Web ACL, select Regular rule and create a Geo Match rule.
  3. From Request options, select originates from a country in and choose the country code or codes from the dropdown list.
  4. Set rule action to BLOCK.
  5. Select Add rule.

Create an IP set match rule to block bad requests based on IP addresses

Create an IP set match rule statement to allow or block web requests based on the IP addresses that the requests originate from. An IP match condition lists up to 10,000 IP addresses or IP address ranges that your requests originate from. Later in the process, when you create a web ACL, you can specify to allow or block requests from those IP addresses.

To create an IP match rule in the AWS WAF console:

  1. Open the AWS WAF console.
  2. Create an IP set and add the IP addresses to the list.
  3. Select the web ACL, then select Regular rule, create an IP match rule.
  4. From Request options, select originates from an IP address in and choose the IP set created in step 2.
  5. Set rule action to BLOCK.
  6. Select Add Rule.

For more information, see Creating and managing an IP set.

Create a string match rule to block bad requests

During a DDoS attack, there isn’t usually one source IP, making it challenging to filter based on a single or a few IP addresses. In these scenarios, it's important that all sections of the request are evaluated to identify any distinguishing patterns between a good and a bad request. Creating a string match rule or a regex match rule is an efficient way to block bad requests.

For example, if the bad requests are from User-Agent: BadBot, you can create a string match rule based on the header details.

To create a string match rule in the AWS WAF console:

  1. Open the AWS WAF console.
  2. Select the web ACL, then select Regular rule, create a String Match rule.
  3. Under request options, select the following:
    For Inspect, select Header.
    For Header field name, enter User-Agent.
    For Match Type, select Exactly matches string.
    For String to Match, enter BadBot.
  4. Set rule action to BLOCK.
  5. Select Add rule.

Create a regex match rule to block bad requests

A regex match rule statement instructs AWS WAF to match a request component against a single regular expression (regex). A web request matches the statement if the request component matches the regex that you specify.

To create a regex match rule in the AWS WAF console:

  1. Open the AWS WAF console.
  2. Select the web ACL, then select Regular rule, create a String Match rule.
  3. Under request options, select the following:
    For Inspect, select URI path.
    For Match type, select Matches regular expression.
    For String to match, enter the regular expression.
  4. Set rule action to BLOCK.
  5. Select Add rule.

Did this article help?


Do you need billing or technical support?