How to create customize AWS WAF Rate-based rule for 1min time window?

Question

I am new to AWS WAF, we have use case where we need to block certain amount of IPs within a 1min time window ?

in breif : IP address/addresses block for 10 minutes if we are getting more than 20 Requests per minute. As per the current architecture , none of API GATEWAY/LAMBDA are used. It just a simple system and ALB being attached to the WEB Acl.so is there a way to implement required solution , can someone assist me?

i tried to implement custom json rule, but it didnt work too.

Answer 1

Unfortunately, not possible to do it that way with WAF.

WAF is counting the requests made in the last 5 minutes. It does the count every 30 seconds and if the threshold is breached, it will block the requests.

The minimum that you can set is 100 requests in the last 5 minutes.

If it's absolutely necessary to do it the way you described, you could do something like this (it does add a bit of complexity to your system):

• Create IP set and WAF rule that will block IPs from the IP set
• log every request in DynamoDB, containing IP address and timestamp
• On every request, check if the threshold is breached. If it is, add IP address to the IP set
• Create a Lambda function that will run every minute, check the IP set and remove from IP set the addresses that haven't appeared in the last 10 minutes (since you said you wanted to block them for 10 minutes)