CloudFront rate limit rule doesn't work

About

Asked 5/7, 2018 at 15:35 Answered 8/11, 2018 at 16:54

I have a CloudFront distribution for an EC2 HTTP server. I created a rate limit for my CloudFront distribution using WAF. In theory no IP address should be able to send more than 2,000 requests in any 5 minute period. But this just doesn't seem to work. I fired off 10,000 concurrent requests from my laptop (using a Go program) in <1 minute and all of them got through. I know they are reaching the EC2 origin because my HTTP server keeps a counter for requests.

Strangely, the WAF dashboard even recognizes that traffic exceeded the 5 minute limit:

Yet no IP blocking took place:

And my EC2 server registered all 10,000 hits.

Am I missing some configuration subtlety? Or is there meant to be a long delay between when CloudFront registers the traffic spike and when it implements the IP block?

EDIT: A config picture:

Phonemic answered 5/7, 2018 at 15:35 Comment(8)

Drop your request rate to about 500 per minute and observe what happens after ~5 minutes. Let it run for at least 10. – Bal 5/7, 2018 at 17:57

I ran ~1200 per minute for 10 minutes and all 13,000 requests got through. Is it safe to conclude that there's some bug in my configuration, or could this actually be intended firewall behavior? – Phonemic 5/7, 2018 at 19:34

I would say there's a misconfiguration. I tested this a while back, and if I remember right, my result was getting blocked after 5 minutes. – Bal 5/7, 2018 at 19:41

Verify that in the Web ACL you set the Action to Block, not Count. Count just counts. Also verify that there isn't another rule higher on the list that is set to Allow. (Although now I'm not sure whether that matters. I think it does.) – Bal 5/7, 2018 at 19:43

Gotcha. Good to hear that it's an issue on my end at least. Action is block, and I don't have any other rules (set up is very minimal, I am just testing this functionality). Question edited with picture of rule. – Phonemic 5/7, 2018 at 19:48

@Phonemic Were you ever able to figure this out? I'm running into the same behavior. In my case I have the limit set the to lowest, 100, however I can easily send 1000+ requests with no blocks. It does block some requests, but the logic isn't very clear – Osteopathy 17/5, 2020 at 19:10

Hi alan, unfortunately I never figured this out. – Phonemic 17/5, 2020 at 22:25

Same problem, some blocking occurred but I was able to send 20000 request in one minute only 88 got blocked when rule is only 100 requests are allowed. Did someone find any solution @Michael-sqlbot – Panter 3/7, 2020 at 7:15

You probably already figured this out, but... you have to specifically select the AWS WAF Web ACL that contains the rate-limit-rule in your CloudFront distribution. You can do this in the Distribution Settings-page of your CloudFront distribution (second item - a dropdown with the label AWS WAF Web ACL).

If you don't, the two aren't connected together, which might explain why your request aren't blocked when you expect them to be blocked.

Dolomites answered 8/11, 2018 at 16:54 Comment(0)

Hot tags

Godot Unity Godot Help Programming Godot 4.X GUI GDScript 3D 2D Physics CSharp Godot 3.X VR XR Projects C++

Recommended topics

Hot tags