Using locust , I made WAF test on my application. I made a rate limit based rule to block IP if requests exceed 100 in a default 5 minute window. When I tested with concurrency 400 with spawn rate 40, then WAF doesn’t block after total requests exceeds 100. But when I stop the test and make a new test in locust and then only WAF blocks that IP for 5 min . I tested many times and found when I make a first locust test , WAF is not working even if condition meets. But it works if I stop that test and make a new test. My purpose of blocking through WAF seems not feasible since attacker can make attack with huge requests and that won't be blocked.

My case

I tested it with number of users (peak conccurency) 400 and spawn rate(users started/second) 5. After a one minute there are 2383 requests total and 965 requests were allowed and 1418 requests were forbidden. I have set rate limit 100 requests for 5 min in WAF and all source IP address is same. It needs to block all users requests after 100 requests. I couldn't figure what is the issue? I have enabled WAF on API gateway.

CodePudding user response：

Per the WAF rate-based rule statement documentation:

It can take a minute or two for the action change to go into effect.

AWS WAF checks the rate of requests every 30 seconds, and counts requests for the prior 5 minutes each time. Because of this, it's possible for an IP address to send requests at too high a rate for 30 seconds before AWS WAF detects and blocks it.