Table of Contents
- 1. Introduction
- 2. Changes in rate-based rules
- 3. Creating rate-based rules
- 4. Effects on WafCharm
- 5.Conclusion
1. Introduction
You can now select an evaluation window for rate-based rules.
AWS WAF enhances rate-based rules to support configurable time windows
The details about the evaluation window are provided on the page below.
Rate-based rule high-level settings
In this blog post, we will take a look at the changes in the rate-based rules.
2. Changes in rate-based rules
Previously, the rate-based rules' evaluation window was fixed to 5 minutes. With this update, you can select from 60 seconds (1 min), 120 seconds (2 min), 300 seconds (5 min), and 600 seconds (10 min).
The default value is still 300 seconds (5 min).
Please keep in mind that the minimum rate limit continues to be 100.
3. Creating rate-based rules
Please refer to the blog posts below for detailed procedures on how to create rate-based rules.
- How to use rate-based rules
- You can now specify detailed conditions in rate-based rules
- AWS WAF now supports URI paths as custom key in rate-based rules
The configuration procedure is the same as above, but the new field [Evaluation window] is added in the AWS console.
As stated in the AWS official document, the default value is 300 seconds (5 min). If you use the default setting, you can continue to use the previous minimum rate of 100/5 minutes.
In addition, a new page [Rate-based rule caveats] has been added to the AWS official document. Things to keep in mind when using rate-based rules are provided on this page, and the caveats about how AWS WAF estimates the request rate has been available before. However, the information about changing the conditions of the existing rate-based rule seems new.
If you change any of the rate limit settings in a rule that's in use, the change resets the rule's rate limiting counts. This can pause the rule's rate limiting activities for up to a minute. The rate limit settings are the evaluation window, rate limit, request aggregation settings, forwarded IP configuration, and scope of inspection.
According to the above, the rate limiting counts reset when you change the conditions (evaluation window, rate limit, request aggregation settings, forwarded IP configuration, and scope of inspection) of the existing rate-based rule and could pause the rate limiting activities for up to 1 minute.
If you don't want the existing rate-based rule to be affected when changing the conditions, you may need to create a new rate-based rule and delete the old rule after you've checked that the rules are working as expected.
4. Effects on WafCharm
As of March 5th, 2024, WafCharm hasn't caught up with the update yet and is currently working on it. If you create a rate-based rule with an evaluation window other than 5 minutes, the update from WafCharm will automatically change the rate-based rule to use the default value of 5 minutes. We apologize for any inconvenience caused.
We will update the post once WafCharm catches up with the update.
5. Conclusion
Up until now, we could only choose 100/5 minutes or above as the rate limit, but with this update, you can now adjust the evaluation window.
The previous minimum rate of 100/5 minutes could cause unexpected false positives, so be cautious when using the smaller evaluation windows, such as 1 minute or 2 minutes.
Since you can use the Count action for rate-based rules, you may want to use the Count action to see how the rate-based rules behave and change the action to Block once you are satisfied.
