AWS WAF CUSTOMISATION

What is AWS WAF ?

AWS WAF (Web Application Firewall) is a managed service provided by Amazon Web Services (AWS) that helps protect web applications from common web exploits, SQL injection, cross-site scripting (XSS), and other attacks. It allows customers to define rules to filter and block web traffic based on criteria IP addresses, HTTP headers, or URI strings.

AWS WAF operates as a layer 7 firewall, meaning it can inspect the content of HTTP requests and responses, the metadata associated with them

AWS WAF integrates with other AWS services, Amazon CloudFront, which is a content delivery network (CDN), and AWS Application Load Balancer, which is a load balancing service.

Why we need Custom Rate-Based Rule to Block IP In AWS WAF

AWS WAF has some limitations

1. Time-based rules: AWS WAF allows you to create rules that block traffic based on the time of day,

2. AWS WAF allows you to create rate-based rules that block traffic based on the number of requests made within a given time period.

3. You can configure the minimum rate as one request per five seconds..

4. You can configure the maximum rate as 5,000 requests per second..

5. AWS WAF uses a sliding window to track the number of requests being made, which can result in some inaccuracies.

Steps to implement the custom rate-based rule blocked IP solution.
Prerequisites:

Implementing the solution requires a few prerequisites.

1. There must be an existing AWS WAF web ACL (REGIONAL or CLOUDFRONT)
2. There must be an existing rate-based rule in the web ACL
3. There must be an existing S3 bucket in the same region where the CloudFormation template
   will be deployed. This S3 bucket is required to add the Lambda source code zip files and to store
   the csv files that track the currently blocked originating IP addresses.
4. You must upload the Lambda source code zip files to the root of the S3 bucket.
5. The IAM user running the CloudFormation must have permissions to create the various
   resources deployed by the CloudFormation template. CloudFormation uses the IAM permissions
   of the IAM user running the template by default if no service role has been configured for
   CloudFormation to use.

Information Required for CloudFormation

1. AWS WAF web ACL name
2. AWS WAF web ACL ID
3. Rate-based rule name
4. The S3 bucket name where the Lambda source code zip files have been uploaded
5. Block period (in seconds) – The period that you want the offending originating IP address to be
   blocked:
6. To block an originating IP for 1 hour, enter 3600
7. To block an originating IP permanently, enter 0
   

Files required for the implementation

• Lambda code zip files (LambdaCodeIPset.zip and LambdaCodeDBTable.zip)
• CloudFormation template (WAF-custom-rate-based-rule-block.template)
• Reference: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-wafv2-webacl.html
• Reference: https://blog.nashtechglobal.com/how-to-use-infrastructure-as-code-for-efficient-finops/

Implementation

To implement the solution, perform the below steps:

1. Download the provided files to the local computer.
2. Upload the provided Lambda source code zip files (LambdaCodeIPset.zip
   and LambdaCodeDBTable.zip) to the root of the S3 bucket that you want to use for this solution.
   The same S3 bucket name will be specified in the Cloud Formation stack parameters.
3. Use the CloudFormation service to deploy a stack using the CloudFormation template provided
   (WAF-custom-rate-based-rule-block.temp

Figure 1 – Deploying CloudFormation template using a local file

Steps required after the CloudFormation stack has deployed successfully

After deploying the CloudFormation stack, you must create a new WAF rule of type “Rule
group” in the web ACL that has the rate-based rule for the solution to be effective. The new rule
MUST reference the rule group created by the solution.
The exact priority of the new rule will vary depending on the existing WAF rules and your requirements.
Below are some recommendations:
a) In all situations, you must place the new rule after the rate-based rule that WAF blocks
originating IP address without having the rate-based rule re-evaluate the originating IP address again.
b) If you have any whitelist rules and you want to ensure that none of the whitelisted requests are blocked even
if the originating IP address sends requests above the configured threshold – The new rule must be
placed below the whitelist rules.
c) If you have any whitelist rules, you want the whitelisted requests to be blocked if the
originating IP address sends requests above the configured threshold. This may be necessary to prevent
a) DDoS from a trusted originating IP address misconfigurations a compromised device
Inside a trusted network, you must place the new rule above the whitelist rules. You can find the name and ID of the WAF rule group in the Outputs section of the CloudFormation
stack. Figure 2 below shows where to find the name of the WAF rule group.

Note: please refer to your CloudFormation Outputs section for the correct name.

Figure 2 – CloudFormation Outputs section where the names of the resources can be located

Steps to create the new WAF rule:

To add the new rule which uses the rule group to the web ACL from the AWS console:
Open the correct web ACL —-> Select Rules —> Add my own rules and rule groups
 Select “Rule group” as the rule type –> Provide and appropriate name for the rule —> Select the WAF rule group from the dropdown menu
Save the web ACL
 Change the priority of the new rule as recommended above according to your requirements.
To add the new rule which uses the rule group to the web ACL from the AWS CLI, use the “aws wafv2
update-web-acl” command below. In the example below, the waf-rule.json is the file that contains all
the rules which must be in the web ACL

please only use the CLI method if you are confident of using this method as there is a potential to delete all
your existing WAF rules if used incorrectly

Replace all the specific details in the CLI command with those that match your resources.
aws wafv2 update-web-acl \
–name TestWebAcl –scope REGIONAL \
–id a1b2c3d4-5678-90ab-cdef-EXAMPLE11111 \
–lock-token 2294b3a1-0000-0000-0000-a3ae04329de9 \
–default-action Block={} \
–visibility-config SampledRequestsEnabled=false,CloudWatchMetricsEnabled=false,MetricName=NewMetricTestWebAcl \
–rules file://waf-rule.json \
–region us-west-2

Procedure to delete the implementation

1. The rule which uses the rule group must be delete first from the web ACL attempting to
   delete the CloudFormation stack. This is CloudFormation will not be able to delete the
   If the web ACL is using the rule group, you must delete the rule from the web ACL before,
   you will see an error message similar to the one below in the CloudFormation Events:
   “AWS WAF couldn’t perform the operation your resource is being used by
   resource it’s associated with resource.”
2. After deleting the rule from the web ACL, you can proceed to delete the CloudFormation stack.
   Deleting the CloudFormation stack will delete all associated resources.

Handling false positives

Considering a false positive, if a rate-based rule blocks a legitimate originating IP address and adds it to the AWS WAF blocking IP set for long-term blocking. You can resolve any false
positives by deleting the IP address item directly from the DynamoDB table. This will result in
DynamoDB streams triggering the Lambda function to remove the IP address from the csv file
the WAF IP set.
Note: If the IP address is deleted directly from the IP set, the IP address will be blocked
the IP set is next updated. This is the IP address will be in the csv file which stores all the
currently blocked IP addresses that are the DynamoDB table. We use this CSV file to update
IP set each time there is update in the DynamoDB table.
The name of the DynamoDB table can be located in the Outputs section of the CloudFormation stack as
shown in Figure 2 above.
Below are the steps to delete the IP address item from the DynamoDB table:

1. Start by searching for the name of the DynamoDB table
2. 2. Follow the numbers in the screen shots below showing each step. In this example, the IPv6
   address 2600:1f18:235a:cf10:39c8:a57a:dc21:8b91/128 is the false positive IP address that must
   be deleted from the table.