Denial of Service attacks are commons in these times. In my company we receive from time to time such an attack. For example on September 26th someone did almost one million requests in 1 hour on our servers and it was blocked by our AWS Web Application Firewall (WAF v2) :
I will detail in this article how did we protect us against DoS Attack using AWS WAF v2.
What is a DoS attack ?
Here is the definition according to Wikipedia :
A denial-of-service attack (DoS attack) is a cyber-attack in which the perpetrator seeks to make a machine or network resource unavailable to its intended users by temporarily or indefinitely disrupting services of a host connected to a network. Denial of service is typically accomplished by flooding the targeted machine or resource with superfluous requests in an attempt to overload systems and prevent some or all legitimate requests from being fulfilled.https://en.wikipedia.org/wiki/Denial-of-service_attack
In my example we received 835k requests in 1 hour or 14,000 per minute. We can consider that as a DoS attack 😰
Configure AWF WAF v2 to protect a website against DoS Attack
AWF WAF v2 can be associated with various ressources like Cloudfront Distribution, Application Load Balancer, AWS AppSync, Amazon API Gateway or Amazon Cognito.
Let’s open your AWS Console, go to WAF v2 and create our first Web ACL. In our case we will create a Web ACL for a Cloudfront Distribution.
1. Create the Web ACL and select the Cloudfront Distribution :
2. Click on “Add my own rules and rule groups” :
3. Use the Rule builder to create a rate-based rule :
4. Configure the rule :
5. Choose the action to block :
6. And add the rule. You’re done 🤩
Now if someone does more than 500 requests in a five minute period, AWF WAF will block them by returning a 403 HTTP code !
Only $6 / month 🤑 ($5.00 per web ACL per month + $1.00 per rule per month)
AWS WAF checks the rate of requests every 30 seconds so your website can be DoS during 29 seconds.
Does AWF WAF impacts performances ?
Definitely no. We didn’t see any change in our response times.
DoS vs DDoS
There is a big difference between Denial of Service (DoS) and Distributed Denial of Service (DDoS) attacks. As distributed means different IP addresses, AWF WAF will not detect any DDoS if each IP does less than 500 requests per 5 minutes period. AWF offers another service called AWS Shield to protect you against DDoS attacks but it’s really expensive ($3000 per month).