Logo Dark
Get in Touch

Permanently Blocking IP Addresses with AWS WAF Rate-Based Rule Limit

10 September 2024

Tech
Web

Table of contents

Permanently Blocking IP Addresses with AWS WAF Rate-Based Rule Limit

Blocking IP Addresses With Aws Waf

What is WAF?

WAF and Other Resource Pricing

Waf Pricing

  • Amazon API Gateway REST API
  • Application Load Balancer
  • AWS AppSync GraphQL API
  • Amazon Cognito user pool
  • AWS App Runner service
  • AWS Verified Access instance
  • PS: Here I am implementing this whole thing for the application load balancer.

Creating Web ACL and Rules

  1. Go to AWS WAF → Web ACLs → Select the region in which your load balancer or regional resource → Create Web ACL.
Creating Web Acl and Rules

Creating Web Acl and Rules 2

Associated Aws Resources
Add Aws Resources

Add Rules

  • Rule type: Rule builder
  • Type: Rate-based rule
Rule Type
  • Rate Limit: 100 (You can specify according to your traffic)
  • Evaluation window: 1 minute (This means if someone makes more than 100 requests in 1 minute, then their IP will be blocked)
  • Request aggregation: IP address in header (Why this option? Let’s discuss it later in this blog)
Rate Limiting Criteria
  • Header field name: X-Forwarded-For
Header Field Name X Forwarded For

  • Create an IP set that contains IP addresses of attackers.
  • Create a rule in Web ACL that blocks IP addresses from attackers IP set.
  • Create Lambda Function that reads the list of Blocked IPs by Rate-Base Rule, and add those IPs to the attacker's IP set.
  • Create one Eventbridge Rule that triggers lambda functions every minute. So, we can keep the attackers IP set list updated with newly blocked IPs.

Creating Lambda, IP set, IAM role and Eventbridge rule

  1. You can find the CloudFormation template here.

  1. Go to CloudFormation → Stacks → Create Stack → With New Resources (Standard).
  2. Prepare template: Choose an existing template. Template source: Upload a template file. (I've stored the template in S3, so you can use the S3 URL but you can directly upload a .YAML file.
Create Stack

  • RateBasedRuleName: Name of our Rate-base- rule created in Web ACL.
  • Scope: REGIONAL ( I am using ALB so it is a regional resource.)
  • WebACLId: It can be found at Web ALC dashboard (AWS WAF → Web ACLs)
  • WebACLName: Name of Web ACL.
Provide a Stack Name Image

Aws Iam Role

Create IP Set Blocking Rule

  1. Go to AWS WAF → Web ACLs → your Web ACL → Rules → Add my own rules.
Testing Rate Limiter

  • Rule type: IP set
  • Name: xxxxx
  • IP set: Select IP set created by CloudFormation.
Rule Type IP Set
  • IP address to use as the originating address: IP address in header
  • Header field name: X-Forwarded-For
  • Position inside header: Any IP addresses
IP Address to Use as the Og Adress
  • Action: Block
Action Block

Set Rule Priority

Testing

  • Install ApacheBench on Ubuntu.
sudo apt-get update

sudo apt-get install apache2-utils
  • Creating a shell script that sends 200 requests per minute to the domain (in other words, to the server)
#!/bin/bash

for i in {1..20}

do

 ab -n 10 -c 1 -H "X-Forwarded-For: 1.2.3.4" http://your-server-endpoint/

 sleep 3

done
  • To run a script, run the following commands:
chmod +x test.sh

./test.sh

Add IP Addresses

Why Are We Using ‘X-Forwarded-For’?

D Do S Attacks Using HTTP Proxies

  • If you use the Source IP address to block requests, then there is a high chance that your regular user might get blocked if they exceed the limit, while the attacker will still be able to increase the load of your server by using proxies.
  • The ‘X-Forwarded-For’ header is only present in requests that are coming from HTTP proxies or load balancers, making it easier to differentiate between regular users and users with bad intentions.

WRITTEN BY

Pruthvi Menpara

Pruthvi is a cloud computing architect who makes sure businesses scale and perform at their best using AWS and Azure. He’s passionate about building robust cloud infrastructures that provide the perfect balance of security and scalability.

More from this author

Making IT Possible

Making IT Possible

Making IT Possible

Making IT Possible

Making IT Possible

Making IT Possible

India (HQ)

201, iSquare Corporate Park, Science City Road, Ahmedabad-380060, Gujarat, India

Canada

24 Merlot Court, Timberlea, NS B3T 0C2, Canada

For Sales

[email protected]

Looking For Jobs

Apply Now

LinkedIn
Instagram
X
Facebook
Youtube
Discord
Dribbble
Behance
Github