search

aws-solutions / aws-waf-security-automations

This solution automatically deploys a single web access control list (web ACL) with a set of AWS WAF rules designed to filter common web-based attacks.
https://aws.amazon.com/solutions/aws-waf-security-automations
Apache License 2.0
848 stars 363 forks source link

HTTP Flood Protection not required to be at least 2000 requests (per 5 minutes)? #56

Closed waldensystems closed 6 years ago

waldensystems commented 6 years ago

First of all, thank you so much for this package. I have been in a nearly decade-long cat and mouse game with brute forcers/etc. on pages that require client access and cannot be simply IP gated. This package is much appreciated.

I seem to be able to put any value into this field (unlike the Rate-Limit WAF rules which will not allow a value lower than 2000 to be submitted). Is there a reason why the minimum has to be 2000 and issues will arise if set any lower?

In the CloudFormation template it has: "RequestThreshold": { "Type": "Number", "Default": "2000", "MinValue": "2000", "Description": "If you chose yes for the Activate HTTP Flood Protection parameter, enter the maximum acceptable requests per FIVE-minute period per IP address. Minimum value of 2000. If you chose to deactivate this protection, ignore this parameter." },

https://docs.aws.amazon.com/solutions/latest/aws-waf-security-automations/deployment.html "The minimum acceptable value is 2000."

hvital commented 6 years ago

Thanks for the feedback!!

For limits lower than AWS WAF Rate Based rule limit, I would suggest to keep the template with the minimal value accepted and change the log parser lambda function to also inspect for HTTP flood.

You can see that this function defines REQUEST_COUNTER_INDEX and keeps track of how many request each origin has made. All you need to do is review line 20 and change it from:

if int(environ['ERROR_PER_MINUTE_LIMIT']) >= 0 and v[ERROR_COUNTER_INDEX] > int(environ['ERROR_PER_MINUTE_LIMIT']):

To something like:

if (int(environ['ERROR_PER_MINUTE_LIMIT']) >= 0 and v[ERROR_COUNTER_INDEX] > int(environ['ERROR_PER_MINUTE_LIMIT'])) or (int(environ['REQUEST_PER_MINUTE_LIMIT']) >= 0 and v[REQUEST_COUNTER_INDEX] > int(environ['REQUEST_PER_MINUTE_LIMIT'])):

And please remember to define REQUEST_PER_MINUTE_LIMIT and lambda environment variable.

It's important to keep the original HTTP Flood protection activated as AWS WAF Rate base rule inspect requests and react to bad behavior near real time. The log parser only take action when access log files are delivered to S3 (more info here).

Lastly, please note that rate-based rules aggregates data per 5 minutes period and the log parser does it by per minute.

waldensystems commented 6 years ago

Thank you I will go in that direction. Much appreciated.