Request rate limiting behavior - AWS WAF, AWS Firewall Manager, and AWS Shield Advanced

Request rate limiting behavior

The criteria that AWS WAF uses to rate limit requests for a rate-based rule is the same criteria that AWS WAF uses to aggregate requests for the rule. If you define a scope-down statement for the rule, AWS WAF only aggregates, counts, and rate limits requests that match the scope-down statement.

The match criteria that causes a rate-based rule to apply its rule action settings to a specific web request are as follows:

  • The web request matches the rule's scope-down statement, if one is defined.

  • The web request belongs to an aggregation instance whose request count is currently over the rule's limit.

How AWS WAF applies the rule action

When a rate-based rule applies rate limiting to a request, it applies the rule action and, if you've defined any custom handling or labeling in your action specification, the rule applies those. This request handling is the same as the way a match rule applies its action settings to matching web requests. A rate-based rule only applies labels or performs other actions on requests that it is actively rate limiting.

You can use any rule action except Allow. For general information about rule actions, see Rule action.

The following list describes how rate limiting works for each of the actions.

  • Block – AWS WAF blocks the request and applies any custom blocking behavior that you've defined.

  • Count – AWS WAF counts the request, applies any custom headers or labels that you've defined, and continues the web ACL evaluation of the request.

    This action doesn't limit the rate of requests. It just counts the requests that are over the limit.

  • CAPTCHA or Challenge – AWS WAF handles the request either like a Block or like a Count, depending on the state of the request's token.

    This action doesn't limit the rate of requests that have valid tokens. It limits the rate of requests that are over the limit and are also missing valid tokens.

    • If the request doesn't have a valid, unexpired token, the action blocks the request and sends the CAPTCHA puzzle or the browser challenge back to the client.

      If the end user or client browser responds successfully, the client receives a valid token and it automatically resends the original request. If rate limiting for the aggregation instance is still in effect, this new request with the valid, unexpired token will have the action applied to it as described in the next bullet point.

    • If the request has a valid, unexpired token, the CAPTCHA or Challenge action verifies the token and takes no action on the request, similar to the Count action. The rate-based rule returns the request evaluation back to the web ACL without taking any terminating action, and the web ACL continues its evaluation of the request.

    For additional information, see CAPTCHA and Challenge in AWS WAF.

If you rate limit only the IP address or forwarded IP address

When you configure the rule to rate limit only IP address for forwarded IP address, the rule instance can rate limit up to 10,000 IP addresses. If a rule instance identifies more than 10,000 IP addresses to rate limit, it only limits the 10,000 highest senders.

With this configuration, you can retrieve the list of IP addresses that a rate-based rule is currently rate limiting. If you're using a scope-down statement, the requests that are rate limited are only those in the IP list that match the scope-down statement. For information about retrieving the IP address list, see Listing IP addresses that are being rate limited by rate-based rules.