Permanently Blocking IP Addresses with AWS WAF Rate-Based Rule Limit

What is WAF?

WAF and Other Resource Pricing

• Amazon API Gateway REST API
• Application Load Balancer
• AWS AppSync GraphQL API
• Amazon Cognito user pool
• AWS App Runner service
• AWS Verified Access instance

• PS: Here I am implementing this whole thing for the application load balancer.

Creating Web ACL and Rules

1. Go to AWS WAF → Web ACLs → Select the region in which your load balancer or regional resource → Create Web ACL.

• Rule type: Rule builder
• Type: Rate-based rule

• Rate Limit: 100 (You can specify according to your traffic)
• Evaluation window: 1 minute (This means if someone makes more than 100 requests in 1 minute, then their IP will be blocked)
• Request aggregation: IP address in header (Why this option? Let’s discuss it later in this blog)

• Header field name: X-Forwarded-For

• Create an IP set that contains IP addresses of attackers.
• Create a rule in Web ACL that blocks IP addresses from attackers IP set.
• Create Lambda Function that reads the list of Blocked IPs by Rate-Base Rule, and add those IPs to the attacker's IP set.
• Create one Eventbridge Rule that triggers lambda functions every minute. So, we can keep the attackers IP set list updated with newly blocked IPs.

Creating Lambda, IP set, IAM role and Eventbridge rule

1. You can find the CloudFormation template here.

1. Go to CloudFormation → Stacks → Create Stack → With New Resources (Standard).
2. Prepare template: Choose an existing template. Template source: Upload a template file. (I've stored the template in S3, so you can use the S3 URL but you can directly upload a .YAML file.

• RateBasedRuleName: Name of our Rate-base- rule created in Web ACL.
• Scope: REGIONAL ( I am using ALB so it is a regional resource.)
• WebACLId: It can be found at Web ALC dashboard (AWS WAF → Web ACLs)
• WebACLName: Name of Web ACL.

Create IP Set Blocking Rule

1. Go to AWS WAF → Web ACLs → your Web ACL → Rules → Add my own rules.

• Rule type: IP set
• Name: xxxxx
• IP set: Select IP set created by CloudFormation.

• IP address to use as the originating address: IP address in header
• Header field name: X-Forwarded-For
• Position inside header: Any IP addresses

• Action: Block

Testing

• Install ApacheBench on Ubuntu.

sudo apt-get update

sudo apt-get install apache2-utils

• Creating a shell script that sends 200 requests per minute to the domain (in other words, to the server)

#!/bin/bash

for i in {1..20}

do

 ab -n 10 -c 1 -H "X-Forwarded-For: 1.2.3.4" http://your-server-endpoint/

 sleep 3

done

• To run a script, run the following commands:

chmod +x test.sh

./test.sh

Why Are We Using ‘X-Forwarded-For’?

• If you use the Source IP address to block requests, then there is a high chance that your regular user might get blocked if they exceed the limit, while the attacker will still be able to increase the load of your server by using proxies.
• The ‘X-Forwarded-For’ header is only present in requests that are coming from HTTP proxies or load balancers, making it easier to differentiate between regular users and users with bad intentions.