Help us understand the problem. What is going on with this article?

AWS WAF の Rate-based ルールが100リクエストからになったのでいろいろやってみた。

More than 1 year has passed since last update.

5 分間で単一の IP アドレスから行われるリクエストの最大数、レート制限 2000 → 100 になったようなのでちょっとだけ確認してみた。
Update:AWS WAFレートベースのルールの下限しきい値

100にしてみる。
image.png

ちなみに100以下にすると↓のとおり。
image.png

とりあえず、連続で100回アクセスすると表示されなくなる。(アクセス先はALBにしました。)
image.png

ルールを確認してみるとアクセスしたIPからの接続がブロックされていることがわかる。
image.png

cloudwatchも確認してみると、ALL BlockedRequestsされていることもわかる。
image.png

ついでに「ロギング」も有効化して確認してみた。「ロギング」の基本的な設定方法は↓のページどおりなので省略します。
AWS WAFのログをFirehoseでS3に出力しブロックログをS3Selectで確認してみた

Kinesisのグラフをまず確認してみる。
image.png

今回はKinesis→S3に保存するようにした。ALLOW と BLOCK になっていることがわかる。

{"timestamp":1567134912907,"formatVersion":1,"webaclId":"ff22a72d-d373-431b-82b0-8841f8adbd58","terminatingRuleId":"Default_Action","terminatingRuleType":"REGULAR","action":"ALLOW","httpSourceName":"ALB","httpSourceId":"44-app/alb/5a0b887f7f6f65b1","ruleGroupList":[],"rateBasedRuleList":[{"rateBasedRuleId":"88ecdb26-dd5e-47aa-a76f-0a6986c92e72","limitKey":"IP","maxRateAllowed":100}],"nonTerminatingMatchingRules":[],"httpRequest":{"clientIp":"202.232.30.201","country":"JP","headers":[{"name":"Host","value":"alb-1396868620.ap-northeast-1.elb.amazonaws.com"},{"name":"Upgrade-Insecure-Requests","value":"1"},{"name":"User-Agent","value":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.132 Safari/537.36"},{"name":"Accept","value":"text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3"},{"name":"Accept-Encoding","value":"gzip, deflate"},{"name":"Accept-Language","value":"ja,en-US;q=0.9,en;q=0.8"}],"uri":"/","args":"","httpVersion":"HTTP/1.1","httpMethod":"GET","requestId":null}}
{"timestamp":1567134936574,"formatVersion":1,"webaclId":"ff22a72d-d373-431b-82b0-8841f8adbd58","terminatingRuleId":"88ecdb26-dd5e-47aa-a76f-0a6986c92e72","terminatingRuleType":"RATE_BASED","action":"BLOCK","httpSourceName":"ALB","httpSourceId":"44-app/alb/5a0b887f7f6f65b1","ruleGroupList":[],"rateBasedRuleList":[{"rateBasedRuleId":"88ecdb26-dd5e-47aa-a76f-0a6986c92e72","limitKey":"IP","maxRateAllowed":100}],"nonTerminatingMatchingRules":[],"httpRequest":{"clientIp":"202.232.30.201","country":"JP","headers":[{"name":"Host","value":"alb-1396868620.ap-northeast-1.elb.amazonaws.com"},{"name":"Upgrade-Insecure-Requests","value":"1"},{"name":"User-Agent","value":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.132 Safari/537.36"},{"name":"Accept","value":"text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3"},{"name":"Accept-Encoding","value":"gzip, deflate"},{"name":"Accept-Language","value":"ja,en-US;q=0.9,en;q=0.8"}],"uri":"/","args":"","httpVersion":"HTTP/1.1","httpMethod":"GET","requestId":null}}
leomaro7
AWS 認定 ソリューションアーキテクト – アソシエイト AWS 認定 SysOps アドミニストレーター – アソシエイト AWS 認定 デベロッパー – アソシエイト AWS 認定 クラウドプラクティショナー
Why not register and get more from Qiita?
  1. We will deliver articles that match you
    By following users and tags, you can catch up information on technical fields that you are interested in as a whole
  2. you can read useful information later efficiently
    By "stocking" the articles you like, you can search right away
Comments
No comments
Sign up for free and join this conversation.
If you already have a Qiita account
Why do not you register as a user and use Qiita more conveniently?
You need to log in to use this function. Qiita can be used more conveniently after logging in.
You seem to be reading articles frequently this month. Qiita can be used more conveniently after logging in.
  1. We will deliver articles that match you
    By following users and tags, you can catch up information on technical fields that you are interested in as a whole
  2. you can read useful information later efficiently
    By "stocking" the articles you like, you can search right away
ユーザーは見つかりませんでした