Qiita Teams that are logged in
You are not logged in to any team

Log in to Qiita Team
Community
OrganizationEventAdvent CalendarQiitadon (β)
Service
Qiita JobsQiita ZineQiita Blog
1
Help us understand the problem. What are the problem?

More than 1 year has passed since last update.

@leomaro7

AWS WAF の Rate-based ルールが100リクエストからになったのでいろいろやってみた。

5 分間で単一の IP アドレスから行われるリクエストの最大数、レート制限 2000 → 100 になったようなのでちょっとだけ確認してみた。
Update:AWS WAFレートベースのルールの下限しきい値

100にしてみる。
image.png

ちなみに100以下にすると↓のとおり。
image.png

とりあえず、連続で100回アクセスすると表示されなくなる。(アクセス先はALBにしました。)
image.png

ルールを確認してみるとアクセスしたIPからの接続がブロックされていることがわかる。
image.png

cloudwatchも確認してみると、ALL BlockedRequestsされていることもわかる。
image.png

ついでに「ロギング」も有効化して確認してみた。「ロギング」の基本的な設定方法は↓のページどおりなので省略します。
AWS WAFのログをFirehoseでS3に出力しブロックログをS3Selectで確認してみた

Kinesisのグラフをまず確認してみる。
image.png

今回はKinesis→S3に保存するようにした。ALLOW と BLOCK になっていることがわかる。

{"timestamp":1567134912907,"formatVersion":1,"webaclId":"ff22a72d-d373-431b-82b0-8841f8adbd58","terminatingRuleId":"Default_Action","terminatingRuleType":"REGULAR","action":"ALLOW","httpSourceName":"ALB","httpSourceId":"44-app/alb/5a0b887f7f6f65b1","ruleGroupList":[],"rateBasedRuleList":[{"rateBasedRuleId":"88ecdb26-dd5e-47aa-a76f-0a6986c92e72","limitKey":"IP","maxRateAllowed":100}],"nonTerminatingMatchingRules":[],"httpRequest":{"clientIp":"202.232.30.201","country":"JP","headers":[{"name":"Host","value":"alb-1396868620.ap-northeast-1.elb.amazonaws.com"},{"name":"Upgrade-Insecure-Requests","value":"1"},{"name":"User-Agent","value":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.132 Safari/537.36"},{"name":"Accept","value":"text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3"},{"name":"Accept-Encoding","value":"gzip, deflate"},{"name":"Accept-Language","value":"ja,en-US;q=0.9,en;q=0.8"}],"uri":"/","args":"","httpVersion":"HTTP/1.1","httpMethod":"GET","requestId":null}}
{"timestamp":1567134936574,"formatVersion":1,"webaclId":"ff22a72d-d373-431b-82b0-8841f8adbd58","terminatingRuleId":"88ecdb26-dd5e-47aa-a76f-0a6986c92e72","terminatingRuleType":"RATE_BASED","action":"BLOCK","httpSourceName":"ALB","httpSourceId":"44-app/alb/5a0b887f7f6f65b1","ruleGroupList":[],"rateBasedRuleList":[{"rateBasedRuleId":"88ecdb26-dd5e-47aa-a76f-0a6986c92e72","limitKey":"IP","maxRateAllowed":100}],"nonTerminatingMatchingRules":[],"httpRequest":{"clientIp":"202.232.30.201","country":"JP","headers":[{"name":"Host","value":"alb-1396868620.ap-northeast-1.elb.amazonaws.com"},{"name":"Upgrade-Insecure-Requests","value":"1"},{"name":"User-Agent","value":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.132 Safari/537.36"},{"name":"Accept","value":"text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3"},{"name":"Accept-Encoding","value":"gzip, deflate"},{"name":"Accept-Language","value":"ja,en-US;q=0.9,en;q=0.8"}],"uri":"/","args":"","httpVersion":"HTTP/1.1","httpMethod":"GET","requestId":null}}
Why not register and get more from Qiita?
  1. We will deliver articles that match you
    By following users and tags, you can catch up information on technical fields that you are interested in as a whole
  2. you can read useful information later efficiently
    By "stocking" the articles you like, you can search right away
1
Help us understand the problem. What are the problem?