AWS WAF Rate Limit Implement and Testing

Purpose

Implement the rate limit on aws WAF, to prevent the hacker to attack our api server with high load.

Background

We have one WAF aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee, binding to two api server domain:

• hpbp-int.xxx.io
• oauth-int.xxx.io

Basic implementation

AWS Console

Create a rate-limit rule - 3000 requests in a five-minute period.

Testing

Test Process:

Use Jmeter send https://oauth-int.xxx.io/oauth/v1/health on one EC2 (IP: 1.2.3.4), 15TPS continually.

Test results:

• Fail after 4500 requests (Not 3000) successful, delay 1 min 30s after transaction arrive 3000.
• When fail with 403, both "hpbp-int.xxx.io" and "oauth-int.xxx.io" return 403 although hpbp-int.xxx.io has not been accessed at all in last 5 minutes. This is because WAF limitation will be a sum of all ALB combined on it.
• When request from jmeter (1.2.3.4) fail with 403, the requests from other IP are still fine.
• The fail will turn back to 200, 2 minutes later after no new access

Further implementation

Another EKS cluster will access these two api server largely, this is our own server and we should exclude this EKS's IP for this WAF rate limit. This EKS has one nat gateway ip: 2.2.2.2

AWS Console

Modify a rate-limit rule - 3000 requests in a five-minute period, add one more conditions, and IP set not in "2.2.2.2"

Test result

• For the requests from that EKS, no any requests limitation.
• For requests from other IP, same test result as upper basic implementation.