Preventing Brute Force Attack using AWS WAF

Overview

Brute force assaults continue to be a popular method malicious actors employ to infiltrate accounts due to the growing frequency of cyber threats. These attacks entail methodically attempting various username and password combinations to obtain unauthorized access. The AWS Web Application Firewall (WAF) offers a strong defense against these threats. This blog describes several AWS WAF capabilities, such as rate-based rules, CAPTCHA puzzles, Fraud Control account takeover prevention (ATP), and security automation, that can stop brute force login attempts.

Introduction

Online platforms are constantly vulnerable to brute force login attacks, particularly those that handle sensitive user data. These assaults occur when an attacker repeatedly tries to log in to guess valid credentials (password and username combinations). Such an attack can overwhelm a system and impair services due to the sheer volume of requests generated. These attacks frequently lead to a worsened user experience and the possibility of account takeover.

Let’s examine each feature’s operation and how to set it up to improve security.

Steps to prevent brute force using AWS WAF

1. Rate based rules:

AWS WAF’s rate-based rules prevent brute force attacks by restricting the quantity of requests that can originate from a single IP address or session within a given time frame. To guess login credentials, attackers frequently rely on sending many queries. To stop overload and brute force assaults, you can use rate-based rules to block an IP address or session if a predetermined threshold is reached.

How it works:

The rate of incoming requests is monitored by AWS WAF, which compares it to a predetermined threshold (for example, more than 100 requests per minute from a single IP address).
AWS WAF will block the IP address for a predetermined time after exceeding the threshold, stopping the attacker from executing the brute force effort.

Configuration Example:

To create a rate-based rule specific to your login page, use the following configuration:

• Inspect Request: Choose the URI path to ensure the rule inspects login page requests only.
• Match type: Choose “Starts with string” to cover all URLs related to the login page.
• String to match: Set this to “/login” to target only the login URL.

This ensures that login attempts are limited and excessive requests from a single IP are blocked, making brute force attacks much harder.

2. CAPTCHA Puzzles:

The purpose of CAPTCHA challenges is to distinguish between automated bots and human users. AWS WAF can prevent automated systems from conducting brute force attacks by forcing users to solve a CAPTCHA problem before accessing login pages. This feature ensures that attackers cannot get past the CAPTCHA and bombard the login page with requests, even if they use a bot.

How it works:

AWS WAF displays a CAPTCHA challenge to the user when it detects traffic that seems artificial.
The attacker cannot answer CAPTCHA riddles using automated scripts, hence stopping the brute force attempt.
This barrier lowers the success rate of brute force assaults and stops bots from trying to guess login passwords.

Configuration Example:

To configure CAPTCHA for your login page:

• Inspect: Choose a URI path to target login-related requests.
• Match Type: Select “Starts with string” to cover all variations of the login URL.
• String to match: Set to “/login” for the login page.
• Action: Choose CAPTCHA to trigger the challenge.
• Immunity time: Set a low immunity time (e.g., 5–10 minutes) to prevent repeated CAPTCHA challenges for legitimate users.

This setup will only prompt suspiciously traffic to complete the CAPTCHA, ensuring that legitimate users are unaffected.

3. AWS ATP Managed Rule Group:

The ATP (Account Takeover Prevention) managed rule group in AWS WAF is specifically designed to prevent account takeover attempts, often resulting from brute force login attacks. This rule group includes a series of predefined rules that can identify suspicious behavior associated with brute force login attempts, such as high request rates or repeated login attempts from the same IP.

How it works:

• The ATP managed rule group analyzes login attempt patterns indicative of brute force attacks. This includes detecting:
  • High request rates from a single IP address or session.
  • Suspicious patterns in password guesses include predictable combinations like “password123.”
  • Repeated failed login attempts.
  • Long-lasting sessions may indicate an attacker trying different combinations over time.

By activating this rule group, you can gain protection from these common attack techniques and proactively block malicious traffic.

Key Rules in ATP Managed Rule Group

• VolumetricIpHigh: Flags high volumes of requests from a single IP address. This strongly indicates a brute force attack where an attacker tries multiple login combinations.
• AttributePasswordTraversal: Identifies password traversal attempts, where attackers guess passwords in a predictable pattern.
• AttributeLongSession: Detects long-lasting sessions where attackers maintain a session for extended periods to continue guessing passwords.
• VolumetricSession: Monitors the volume of requests within a single session to identify suspicious patterns of login attempts.
• AttributeUsernameTraversal: Identifies attempts to guess usernames in a pattern, typically part of brute force login attacks.
• MissingCredential: Flags requests where credentials are missing or incomplete could be a sign of a bot trying to perform a login attempt without valid credentials.

These rules help identify and mitigate brute force login attacks by inspecting the traffic patterns and blocking malicious requests based on known attack techniques.

Conclusion

Although brute force login assaults pose a significant security risk, AWS WAF provides several useful methods to stop them. Together, the ATP controlled rule group, rate-based rules, and CAPTCHA puzzles protect your login pages against malicious activity. You can use CAPTCHAs to challenge questionable traffic, prohibit excessive requests, and automatically identify and stop account takeover attempts by implementing these features. Combined, these safeguards guarantee that your application stays safe while offering authorized users a flawless experience.

Drop a query if you have any questions regarding AWS WAF and we will get back to you quickly.

About CloudThat

CloudThat is a leading provider of Cloud Training and Consulting services with a global presence in India, the USA, Asia, Europe, and Africa. Specializing in AWS, Microsoft Azure, GCP, VMware, Databricks, and more, the company serves mid-market and enterprise clients, offering comprehensive expertise in Cloud Migration, Data Platforms, DevOps, IoT, AI/ML, and more.

CloudThat is the first Indian Company to win the prestigious Microsoft Partner 2024 Award and is recognized as a top-tier partner with AWS and Microsoft, including the prestigious ‘Think Big’ partner award from AWS and the Microsoft Superstars FY 2023 award in Asia & India. Having trained 650k+ professionals in 500+ cloud certifications and completed 300+ consulting projects globally, CloudThat is an official AWS Advanced Consulting Partner, Microsoft Gold Partner, AWS Training Partner, AWS Migration Partner, AWS Data and Analytics Partner, AWS DevOps Competency Partner, AWS GenAI Competency Partner, Amazon QuickSight Service Delivery Partner, Amazon EKS Service Delivery Partner,  AWS Microsoft Workload Partners, Amazon EC2 Service Delivery Partner, Amazon ECS Service Delivery Partner, AWS Glue Service Delivery Partner, Amazon Redshift Service Delivery Partner, AWS Control Tower Service Delivery Partner, AWS WAF Service Delivery Partner, Amazon CloudFront and many more.

To get started, go through our Consultancy page and Managed Services Package, CloudThat’s offerings.