Case Studies
AWS, AWS WAF, DDoS Protection, IP Blocking, Cloud Security

Enhancing DDoS Protection with Extended IP Block Duration Using AWS WAF Rate-Based Rules

www.ankercloud.com/case-studies/
enhancing-ddos-protection-with-extended-ip-block-duration-using-aws-waf-rate-based-rules
copied!

Key Challenges

Malicious actors exploited the limited IP blocking duration in AWS WAF’s rate-based rules, resuming DDoS attacks after unblocking. Managing extended blocking durations while avoiding legitimate traffic disruptions required careful configuration to maintain security without compromising user experience or overwhelming the WAF system.

Key Results

The automated solution extended blocking durations for malicious IPs, effectively mitigating DDoS attacks. This preserved service availability, protected the brand’s reputation, and minimized operational costs. By leveraging AWS services, the solution ensured scalability and cost-effectiveness, delivering enhanced security and user satisfaction.

Overview

In the context of DDoS attacks, malicious actors often leverage the same IP addresses to repeatedly initiate HTTP request floods once they are unblocked by rate-based rules. These attacks can be challenging to mitigate effectively, as the default rate-based blocking mechanism in AWS WAF imposes a maximum time limit for blocking IP addresses. Once the IPs are unblocked, attackers can quickly resume the attack, which limits the effectiveness of the WAF’s protection.

To handle this, extending the blocking period for identified malicious IP addresses becomes critical. However, this introduces new challenges: the need to fine-tune and manage the WAF rules carefully to balance extended blocking durations with the need to minimize any potential disruption to legitimate traffic. Without proper configuration, legitimate users could be mistakenly blocked, or the WAF could become overwhelmed by handling numerous blocking rules.

Architecture diagram

Challenges

Malicious actors exploited AWS WAF’s limited IP blocking duration to resume DDoS attacks after unblocking, creating recurring threats. Extending block durations posed challenges in balancing security with legitimate traffic access, managing large-scale IP sets without overwhelming the WAF, and ensuring real-time updates to maintain effective protection.

Solution

The solution uses AWS services such as AWS CloudFormation, Amazon EventBridge, AWS Lambda, Amazon S3, and AWS WAF to automate and extend the blocking of malicious IPs.

  1. Deploying AWS CloudFormation Template:
     When the AWS CloudFormation template is deployed, the blocking duration for malicious IPs is defined within the configuration. This ensures that the blocking period can be adjusted based on the severity of the attack and the specific needs of the service.
  2. Using Amazon EventBridge and AWS Lambda:
     An Amazon EventBridge rule is set to trigger an AWS Lambda function every minute. This Lambda function queries the rate-based rule to identify IP addresses that are currently blocked. The function then uses the GetRateBasedStatementManagedKeys API from AWS WAFv2 to retrieve the list of blocked IPs.
  3. Storing Blocked IPs in Amazon S3:
     Once the IP addresses are identified, the Lambda function stores them, along with their associated timestamps, in an Amazon S3 bucket. This data is used to track how long each IP address has been blocked and ensures that IPs exceeding the configured blocking period are properly removed.
  4. Updating Custom IP Sets:
     The IP addresses stored in the S3 file are then used to update custom IP sets in AWS WAF. These sets are referenced by a custom WAF rule that blocks IP addresses. Each time the Lambda function executes, it appends newly blocked IP addresses to the S3 file while removing IPs that have exceeded their block duration. The custom IP sets are updated accordingly, ensuring that only malicious IPs remain blocked.
  5. Continual Update of IP Block List:
     By running this process every minute, the solution ensures that malicious IP addresses remain blocked for the required duration while preventing the blocking list from growing too large or outdated.

Deploying the Solution

  1. Download the CloudFormation Template:
     Download the customized AWS CloudFormation template (customized-block-period-template.yaml) from the solution’s GitHub repository.
  2. Create a Stack in CloudFormation Console:
     Navigate to the AWS CloudFormation console and create a new stack using the downloaded template. Refer to the CloudFormation User Guide for detailed instructions on stack creation.
  3. Specify Stack Details:
     On the Specify Stack Details page, enter a unique stack name and provide the necessary parameters, including the blocking duration and other configuration settings as outlined in the prerequisites section of the documentation.
  4. Provisioning Resources:
     The template provisions several AWS resources, including:some text
    • AWS WAF IP Sets, which store the blocked IPs.
    • An Amazon EventBridge Rule that triggers the Lambda function at regular intervals.
    • Amazon S3 Buckets to store the blocked IP addresses and their timestamps.
    • AWS IAM Roles with permissions to allow Lambda functions to query AWS WAF and access other required resources.
    • The AWS Lambda function itself, which performs the logic for tracking and updating the blocked IP addresses.
  5. Deploy and Apply the WAF Rule:
     Deployment typically takes less than 15 minutes. After the stack reaches CREATE_COMPLETE, you can create a custom AWS WAF rule to apply the custom IP sets and start blocking the identified malicious IPs.

Business Outcome

  1. Improved Service Availability: By effectively mitigating DDoS attacks, the availability of business-critical services, websites, and applications is preserved. This minimizes service downtime, ensuring that legitimate users have continuous access and improving the overall user experience.
  2. Protection of Brand Reputation: DDoS attacks can cause significant harm to a company's reputation. Service disruptions or prolonged downtime can lead to a perception of unreliability, which damages customer trust. By proactively defending against such attacks, the company protects its brand, safeguarding its public image and maintaining customer loyalty.
  3. Cost Savings: DDoS attacks often result in significant costs, including mitigation efforts, legal liabilities, and lost revenue due to service downtime. By preventing these attacks upfront, businesses can avoid the high costs associated with attack recovery and operational disruption, leading to long-term cost savings. Additionally, by leveraging AWS services, the solution is cost-effective and scalable, further reducing operational expenses.

In summary, this solution leverages AWS tools and services to address the limitations of default rate-based WAF rules, allowing businesses to extend IP blocking durations effectively. This not only improves security but also ensures the continuity of service, enhancing both customer satisfaction and the organization's bottom line.

Share this post

Related Case Studies

No Case Studies available related to this page.
GET in touch

The Ankercloud Team loves to listen

Get Started