AWS WAF Captcha
AWS Web Application Firewall ( WAF ) is a firewall that helps protect applications at Layer 7. One of the features that one of my most awaited features on AWS WAF is Captcha, as in my experience using Cloudflare it’s very useful to protect the application from flooding attacks.
On 24th November 2021 AWS Announced the support for Captcha action in their WAF Services, this feature can be implemented in many situations.
The captcha could be used to protect our application from unwanted bots or scrappers as we could put the rules to enable captcha on the specific page. For example, we could put a captcha on the login page or registration page to defend from a bot.
Enable additional layer to defend from HTTP flooding attack. Why? usually, we are implementing rate limiter as one of the methods to reduce the unwanted request so it will not burden the origin because of the high unwanted request that doesn’t come from a real user. The default action that we usually use blocks for this case, has an impact when we implement this rule as it will block some of the requests usually from many users that using office network/same network as it will have same IP Public for multiple users.
After AWS WAF got the captcha feature we could change the rule’s action from block to captcha as it will help tackle the unexpected issues that arise from rate limit block action.
Setting Up WAF Rules
In this article we will try to implement AWS WAF as the rule action for rate limiter. Below are the step to create our own rule and put captcha action:
- Add rule by choosing Add my own rules and rule groups.
2. Choose Rate Builder as we will try to create rate limiter rule.
3. Choose Rate-based-rule and Set the limit, as for the action we are choosing CAPTCHA with the immunity for 600s. In the action we could specify the time token can be used for the request, for this case after the successful attempt CAPTCHA are completed the next requests in the range of 1~600s the captcha will not be shown, after the immunity are expired the next request will need to re-captcha again before you could proceed to access the apps.
After successfully setup the rules we just need to trigger the rules.
Captcha in Action
The captcha in AWS are a bit unique in my experience as it sometimes showing puzzle and other things. When the rules are triggered we will be shown the challenge page that you must complete to access the app.
After that you will be presented the puzzle, below are some of the puzzle example that I experience.
After you completed the puzzle and submit the answer you will be redirected to application.
Conclusion
The new feature on AWS WAF give us the new option that we could use when building the security strategy as the attack are evolving too. The captcha give us additional room to mix-n-match in rule creation, in before are the example that we could use as a measurement to prevent http flooding other than to block it.
Hope this information could be useful for us. If there is any feedback don’t hesitate to post the question below.
