waf-reputation-lists IPSet limit issue

[mikegchambers]

The WAF config resulting from the CF template can't support the number of CIDR ranges sourced from the supplied 3 URLs (which currently stands at ~12k). The template creates two IPSets. Each IPSet can contain up to 1000 CIDR ranges, therefore the WAF config can support only 2k ranges.

What's more, WAF itself is unable to support the number of CIDR ranges brought back by the Lambda script. (WAF max is 10k)

• One IPSet can contain up to 1000 CIDR ranges.
• Due to the nature of the match, only one IPSet condition can be used per Rule.
• One Web ACL can contain up to 10 Rules.
• Therefore the maximum number of CIDR ranges that can be supported by WAF is 10k.
• Currently, the number of CIDR ranges sourced from the URLs provided is ~12k.

I can't see a way around this unless: a) AWS changes the limits for WAF, or b) AWS changes the way that WAF rules work. c) We ignore one or more of the source URLs and therefore don't block all 'known' bad IPs.

Source: http://docs.aws.amazon.com/waf/latest/developerguide/limits.html http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-waf-rule.html#cfn-waf-rule-predicates

[ziggythehamster]

Ouch, this sucks.

$ aws waf get-ip-set --ip-set-id "ee0cef85-09e7-42ef-a916-9547753fe5a6" | jq '.IPSet.IPSetDescriptors | length'
1000
$ aws waf get-ip-set --ip-set-id "df848e55-00b9-43f9-9099-1cddd2a7ed4e" | jq '.IPSet.IPSetDescriptors | length'
1000

And that's just with DROP and EDROP. We use Terraform, so art19/terraform-aws-waf-drop uses this Lambda function to keep those two IPSets up to date with DROP and EDROP.

DROP and EDROP only have ~900 rules together, if AWS WAF supported arbitrary CIDRs.

[ziggythehamster]

This just gets worse if I look at the Lambda function's logs. It starts with 862 IP ranges, but after making the ranges compliant with WAF's rule for being on a /8, /16, /24, or /32, it ends up with 10,779.

Clearly, that means you need 11 rules and 11 IP sets on one ACL in order to contain the entire list. That's simply impossible.

I have opened AWS support case 854333951: AWS WAF limits make it impossible to use reputation lists correctly with AWS WAF... hopefully we can get these limits raised :)

[leeatkinson]

Thanks for your feedback. You can modfiy the template to create 10 IPSets in total. This would allow you to blacklist 10,000 ranges (using 10 x 1000 CIDRs). We are working on increasing these hard limits in the interest of further enhancing the customer experience of AWS WAF.

[jessesanford]

+1 we are not going to be able to use WAF unless these limits are increased. We would like to see the whole firehol level 1 list supported. http://iplists.firehol.org

[odnarb]

Same here, we're going to need WAF to increase its support. It's only space, right? :)

[yankurniawan]

Looks like the limit has been increased to 10,000 IP ranges per IP set, is this true? I tried to modify the lambda code with this new limit, but I got an error: "Operation would result in exceeding resource limits."

[jotes]

@yankurniawan It's true. However, you probably have to request an increase of the limit. More info at http://docs.aws.amazon.com/waf/latest/developerguide/limits.html

[marklkelly]

@yankurniawan - while the limit has increased, you can't update more than 1000 at a time. Your IpSet values will need to look something like this:

var maxDescriptorsPerIpSet = 10000; var maxDescriptorsPerIpSetUpdate = 1000;

[yankurniawan]

I see, thanks @marklkelly

[tomyam1]

Just ran with both limits set to 10,000 Sorry. It was successful just because there weren't any updates needed.. You do need to set maxDescriptorsPerIpSetUpdate to 1000