{"id":40378,"date":"2016-09-26T10:53:36","date_gmt":"2016-09-26T05:23:36","guid":{"rendered":"http:\/\/www.tothenew.com\/blog\/?p=40378"},"modified":"2016-09-26T14:56:06","modified_gmt":"2016-09-26T09:26:06","slug":"configuring-rate-based-blacklisting-of-ips-using-aws-waf-and-aws-lambda","status":"publish","type":"post","link":"https:\/\/www.tothenew.com\/blog\/configuring-rate-based-blacklisting-of-ips-using-aws-waf-and-aws-lambda\/","title":{"rendered":"Configuring Rate-Based Blacklisting of IP&#8217;s using AWS WAF and AWS Lambda"},"content":{"rendered":"<p>One security challenge we face these days is how to prevent our web servers from DDOS attacks.<\/p>\n<p>This blog illustrates how we can automatically block unwanted traffic based on request rate by using AWS WAF and Lambda. This setup automatically detects traffic based on request rate, and then updates <a title=\"devops in aws\" href=\"http:\/\/www.tothenew.com\/devops-aws\">AWS WAF configurations<\/a> to block subsequent requests from those users.<\/p>\n<p><img decoding=\"async\" loading=\"lazy\" class=\"alignnone size-full wp-image-40546\" src=\"\/blog\/wp-ttn-blog\/uploads\/2016\/09\/Heitor_ArchitectureandFlowa1.png\" alt=\"Heitor_ArchitectureandFlowa\" width=\"524\" height=\"319\" srcset=\"\/blog\/wp-ttn-blog\/uploads\/2016\/09\/Heitor_ArchitectureandFlowa1.png 524w, \/blog\/wp-ttn-blog\/uploads\/2016\/09\/Heitor_ArchitectureandFlowa1-300x182.png 300w\" sizes=\"(max-width: 524px) 100vw, 524px\" \/><\/p>\n<p>The above diagram explains the entire setup.<\/p>\n<p>It works as follows:<\/p>\n<p>As CloudFront receives requests on behalf of our web application, it sends access logs to an S3. A <a href=\"http:\/\/www.tothenew.com\/blog\/introduction-to-aws-lambda\/\">Lambda function<\/a> gets triggered for every new access log stored in the S3 bucket.The Lambda function identifies the IP addresses which have made more requests than the defined threshold and adds the resulting \u00a0IP addresses to AWS WAF block list. AWS WAF blocks these IP addresses for a period of time. After this blocking period gets expired, AWS WAF allows these IP addresses to access our application again, but it still continues to monitor the requests from those IP addresses for a certain period of time. The Lambda function also publishes execution metrics in CloudWatch, such as the number of requests analyzed and IP addresses blocked.<\/p>\n<div class=\"yj6qo ajU\"><\/div>\n<p>Follow the following steps in order to implement the above setup:<\/p>\n<ol>\n<ol>\n<li>Sign in to AWS Console. Click on Services and select <strong>Cloudformation<\/strong>.<\/li>\n<li>Click on \u201cCreate New Stack\u201d button.<\/li>\n<li>Upload the waf_template.json <a href=\"https:\/\/github.com\/awslabs\/aws-waf-sample\/tree\/master\/waf-reactive-blacklist\">this GitHub repositor<\/a>y on \u201c<strong>Select Template<\/strong>\u201d page.<\/li>\n<li>Click \u201c<strong>Next<\/strong>\u201d:<img decoding=\"async\" loading=\"lazy\" class=\"alignnone  wp-image-40525\" src=\"\/blog\/wp-ttn-blog\/uploads\/2016\/09\/Screenshot-from-2016-09-20-1314231.png\" alt=\"Screenshot from 2016-09-20 13:14:23\" width=\"774\" height=\"386\" \/><\/li>\n<li>On the<strong> Specify Details<\/strong> page:\n<ul>\n<li>For the \u201c<strong>Stack name<\/strong>\u201d field, type the name of your stack.<\/li>\n<li>For \u201c<strong>Create CloudFront Access Log Bucket<\/strong>\u201d field, select \u201c<strong>yes<\/strong>\u201d to create a new S3 bucket for CloudFront Access Logs.<\/li>\n<li>For \u201c<strong>CloudFront Access Log Bucket Name<\/strong>\u201d field, type the name of the S3 bucket where CloudFront will send access logs.<\/li>\n<li>For \u201c<strong>Request Threshold<\/strong>\u201d field, specify the maximum number of requests that can be made per minute without being blocked.<\/li>\n<li>For \u201c<strong>WAF Block Period<\/strong>\u201d field, specify for how long (in seconds) IP addresses should be blocked after passing the threshold.<\/li>\n<li>For \u201c<strong>WAF Quarantine Period<\/strong>\u201d, specify for how long AWS WAF should monitor IP addresses after AWS WAF has stopped blocking them.<\/li>\n<li>Click \u201c<strong>Next<\/strong>\u201d:<\/li>\n<\/ul>\n<p align=\"left\"><img decoding=\"async\" loading=\"lazy\" class=\"alignnone size-full wp-image-40527\" src=\"\/blog\/wp-ttn-blog\/uploads\/2016\/09\/Screenshot-from-2016-09-20-1315211.png\" alt=\"Screenshot from 2016-09-20 13:15:21\" width=\"618\" height=\"312\" srcset=\"\/blog\/wp-ttn-blog\/uploads\/2016\/09\/Screenshot-from-2016-09-20-1315211.png 618w, \/blog\/wp-ttn-blog\/uploads\/2016\/09\/Screenshot-from-2016-09-20-1315211-300x151.png 300w\" sizes=\"(max-width: 618px) 100vw, 618px\" \/><\/p>\n<\/li>\n<li>On the <strong>Options<\/strong> page, click <strong>Next<\/strong>.<\/li>\n<li>On the <strong>Review<\/strong> page, Click <strong>create<\/strong>.<\/li>\n<\/ol>\n<\/ol>\n<p>This template will create all the components necessary to run the above-defined setup: a Lambda function and an AWS WAF Web ACL (named Malicious Requesters) with all necessary rules configured.<\/p>\n<ol>\n<li>Now open<strong> CloudFront<\/strong> Console.<\/li>\n<li>Select the distribution for which you want this setup to be configured.<\/li>\n<li>In the <strong>Distribution Settings pane<\/strong>, click the General tab, and then click Edit.\n<ul>\n<li>Edit <strong>AWS WAF Web ACL<\/strong> settings. From the drop-down list, select the WEB ACL which was created in the earlier steps (Malicious Requesters).<\/li>\n<li>For <strong>Logging<\/strong>, select <strong>On<\/strong>.<\/li>\n<li>In \u201c<strong>Bucket for Logs<\/strong>\u201d field, select the bucket that you specified in the earlier step.<\/li>\n<li>Save your changes:<\/li>\n<\/ul>\n<p align=\"left\"><img decoding=\"async\" loading=\"lazy\" class=\"alignnone  wp-image-40570\" src=\"\/blog\/wp-ttn-blog\/uploads\/2016\/09\/Screenshot-from-2016-09-21-114503.png\" alt=\"Screenshot from 2016-09-21 11:45:03\" width=\"410\" height=\"353\" srcset=\"\/blog\/wp-ttn-blog\/uploads\/2016\/09\/Screenshot-from-2016-09-21-114503.png 660w, \/blog\/wp-ttn-blog\/uploads\/2016\/09\/Screenshot-from-2016-09-21-114503-300x258.png 300w, \/blog\/wp-ttn-blog\/uploads\/2016\/09\/Screenshot-from-2016-09-21-114503-624x537.png 624w\" sizes=\"(max-width: 410px) 100vw, 410px\" \/><\/p>\n<\/li>\n<\/ol>\n<p>This will successfully provision the setup that automatically blocks IP addresses based on a specified request-rate threshold.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>One security challenge we face these days is how to prevent our web servers from DDOS attacks. This blog illustrates how we can automatically block unwanted traffic based on request rate by using AWS WAF and Lambda. This setup automatically detects traffic based on request rate, and then updates AWS WAF configurations to block subsequent [&hellip;]<\/p>\n","protected":false},"author":914,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"iawp_total_views":36},"categories":[1174,2348,1],"tags":[2270,2937,2366,1679,1332,2532,3233,2932,1892],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/www.tothenew.com\/blog\/wp-json\/wp\/v2\/posts\/40378"}],"collection":[{"href":"https:\/\/www.tothenew.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.tothenew.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.tothenew.com\/blog\/wp-json\/wp\/v2\/users\/914"}],"replies":[{"embeddable":true,"href":"https:\/\/www.tothenew.com\/blog\/wp-json\/wp\/v2\/comments?post=40378"}],"version-history":[{"count":0,"href":"https:\/\/www.tothenew.com\/blog\/wp-json\/wp\/v2\/posts\/40378\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.tothenew.com\/blog\/wp-json\/wp\/v2\/media?parent=40378"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.tothenew.com\/blog\/wp-json\/wp\/v2\/categories?post=40378"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.tothenew.com\/blog\/wp-json\/wp\/v2\/tags?post=40378"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}