Configuring Rate-Based Blacklisting of IP’s using AWS WAF and AWS Lambda

26 / Sep / 2016 by Shruti Lamba 0 comments

One security challenge we face these days is how to prevent our web servers from DDOS attacks.

This blog illustrates how we can automatically block unwanted traffic based on request rate by using AWS WAF and Lambda. This setup automatically detects traffic based on request rate, and then updates AWS WAF configurations to block subsequent requests from those users.


The above diagram explains the entire setup.

It works as follows:

As CloudFront receives requests on behalf of our web application, it sends access logs to an S3. A Lambda function gets triggered for every new access log stored in the S3 bucket.The Lambda function identifies the IP addresses which have made more requests than the defined threshold and adds the resulting  IP addresses to AWS WAF block list. AWS WAF blocks these IP addresses for a period of time. After this blocking period gets expired, AWS WAF allows these IP addresses to access our application again, but it still continues to monitor the requests from those IP addresses for a certain period of time. The Lambda function also publishes execution metrics in CloudWatch, such as the number of requests analyzed and IP addresses blocked.

Follow the following steps in order to implement the above setup:

    1. Sign in to AWS Console. Click on Services and select Cloudformation.
    2. Click on “Create New Stack” button.
    3. Upload the waf_template.json this GitHub repository on “Select Template” page.
    4. Click “Next”:Screenshot from 2016-09-20 13:14:23
    5. On the Specify Details page:
      • For the “Stack name” field, type the name of your stack.
      • For “Create CloudFront Access Log Bucket” field, select “yes” to create a new S3 bucket for CloudFront Access Logs.
      • For “CloudFront Access Log Bucket Name” field, type the name of the S3 bucket where CloudFront will send access logs.
      • For “Request Threshold” field, specify the maximum number of requests that can be made per minute without being blocked.
      • For “WAF Block Period” field, specify for how long (in seconds) IP addresses should be blocked after passing the threshold.
      • For “WAF Quarantine Period”, specify for how long AWS WAF should monitor IP addresses after AWS WAF has stopped blocking them.
      • Click “Next”:

      Screenshot from 2016-09-20 13:15:21

    6. On the Options page, click Next.
    7. On the Review page, Click create.

This template will create all the components necessary to run the above-defined setup: a Lambda function and an AWS WAF Web ACL (named Malicious Requesters) with all necessary rules configured.

  1. Now open CloudFront Console.
  2. Select the distribution for which you want this setup to be configured.
  3. In the Distribution Settings pane, click the General tab, and then click Edit.
    • Edit AWS WAF Web ACL settings. From the drop-down list, select the WEB ACL which was created in the earlier steps (Malicious Requesters).
    • For Logging, select On.
    • In “Bucket for Logs” field, select the bucket that you specified in the earlier step.
    • Save your changes:

    Screenshot from 2016-09-21 11:45:03

This will successfully provision the setup that automatically blocks IP addresses based on a specified request-rate threshold.


Leave a Reply

Your email address will not be published. Required fields are marked *