Menu
I'm currently trying to design a Serverless Application using S3 static website, API Gateway and AWS Lambda. I want to make this website public, so there is no API key per user.
I want to prevent abuse of these endpoints to something really low, like 1 request every 5 seconds for a given public IP.
Is it possible with AWS Shield or inside any of these services?
657
You can set additional throttling targets at the method level in Usage Plans as shown in Create a usage plan. In the API Gateway console, these are set by specifying Resource= <resource> , Method= <method> in the Configure Method Throttling setting.
One way to implement API throttling in distributed systems is to use sticky sessions. In this method, all requests from a user are always serviced by a particular server. However, this solution is not well-balanced or fault tolerant. The second solution to API throttling in distributed systems are locks.
Your API gateway is now accessible via static IP addresses provided by AWS Global Accelerator.
You can now throttle as low as 100 requests per 5 minutes!
Unfortunately if you have a requirement of I want to prevent abuse of these endpoints to something really low, like 1 request every 5 seconds for a given public IP. then AWS WAF will not be suitable.
The minimum threshold you can set for a WAF rate based rule is 2000 requests in a 5 minute period.
If you want to implement aggressive rate based rules based on IP, you will need to write your own solution that either:
What might be more appropriate for your use case is using throttling on an API stage, but not based on IP. What you can do is set a maximum number of requests per second on average, and have the API return a 429, too many requests, when that number is exceeded. You can be really aggressive with this, or more relaxed by using a decimal value:
176
From AWS Announces Rate-Based Rules for AWS WAF:
AWS today announced Rate-based Rules for AWS WAF. This new rule type protects customer websites and APIs from threats such as web-layer DDoS attacks, brute force login attempts and bad bots. Rate Based Rules are automatically triggered when web requests from a client exceed a certain configurable threshold.
With Rated-based Rules customers can also block future requests from a client trying to send large volume of requests to certain parts of their website like the login page. Customer can also integrate this new rule with CloudWatch Alarms and AWS Lambda to take custom action on clients making unusually high calls against their API endpoints. Customers can also use Rate-Based Rules to mitigate unwanted bots by combining the Rate-based rule with a condition to identify specific malicious user agents’ associated with bad bots.
45
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
