How to throttle AWS Lambda or API Gateway by IP?

Asked 4/6, 2019 at 21:25 Answered 5/6, 2019 at 6:25

Solved amazon-web-services aws-lambda aws-api-gateway throttling

I'm currently trying to design a Serverless Application using S3 static website, API Gateway and AWS Lambda. I want to make this website public, so there is no API key per user.

I want to prevent abuse of these endpoints to something really low, like 1 request every 5 seconds for a given public IP.

Is it possible with AWS Shield or inside any of these services?

Antetype answered 4/6, 2019 at 21:25 Comment(1)

Look at AWS WAF rules. – Clementia 5/6, 2019 at 1:14

Update March 23 2021:

You can now throttle as low as 100 requests per 5 minutes!

Old answer:

Unfortunately if you have a requirement of I want to prevent abuse of these endpoints to something really low, like 1 request every 5 seconds for a given public IP. then AWS WAF will not be suitable.

The minimum threshold you can set for a WAF rate based rule is 2000 requests in a 5 minute period.

If you want to implement aggressive rate based rules based on IP, you will need to write your own solution that either:

Inspects the CloudFront access logs and retroactively bans bad IPs
Use Lambda@Edge to evaluate requests in real time + ban accordingly

What might be more appropriate for your use case is using throttling on an API stage, but not based on IP. What you can do is set a maximum number of requests per second on average, and have the API return a 429, too many requests, when that number is exceeded. You can be really aggressive with this, or more relaxed by using a decimal value:

Towardly answered 5/6, 2019 at 6:25 Comment(1)

If you throttle at the API level, to, let's say 1 request per second, you won't suffer a "cost attack", but someone could easily take you application down for other users too if it's not being blocked by IP – Bowlds 30/12, 2019 at 6:17

From AWS Announces Rate-Based Rules for AWS WAF:

AWS today announced Rate-based Rules for AWS WAF. This new rule type protects customer websites and APIs from threats such as web-layer DDoS attacks, brute force login attempts and bad bots. Rate Based Rules are automatically triggered when web requests from a client exceed a certain configurable threshold.

With Rated-based Rules customers can also block future requests from a client trying to send large volume of requests to certain parts of their website like the login page. Customer can also integrate this new rule with CloudWatch Alarms and AWS Lambda to take custom action on clients making unusually high calls against their API endpoints. Customers can also use Rate-Based Rules to mitigate unwanted bots by combining the Rate-based rule with a condition to identify specific malicious user agents’ associated with bad bots.

Collaborative answered 5/6, 2019 at 5:19 Comment(0)

Update March 23 2021:

Old answer:

Recommended topics

Hot tags