Options for rate limiting in rate-based rules and targeted Bot Control rules
This section compares rate-based mitigation options.
The targeted level of the AWS WAF Bot Control rule group and the AWS WAF rate-based rule statement both provide web request rate limiting. The following table compares the two options.
| AWS WAF rate-based rule | AWS WAF Bot Control targeted rules | |
|---|---|---|
| How rate limiting is applied | Acts on groups of requests that are coming at too high a rate. You can apply any action except for Allow. | Enforces human-like access patterns and applies dynamic rate limiting, through the use of request tokens. |
| Based on historical traffic baselines? | No | Yes |
| Time required to accumulate historic traffic baselines | N/A | Five minutes for dynamic thresholds. N/A for token absent. |
| Mitigation lag | Usually 30-50 seconds. Can be up to several minutes. | Usually less than 10 seconds. Can be up to several minutes. |
| Mitigation targets | Configurable. You can group requests using a scope-down statement and by one or more aggregation keys, such as IP address, HTTP method, and query string. | IP addresses and client sessions |
| Traffic volume level required to trigger mitigations | Medium - can be as low as 10 requests in the specified time window | Low - intended to detect client patterns such as slow scrapers |
| Customizable thresholds | Yes | No |
| Default mitigation action | Console default is Block. No default setting in the API; the setting is
required. You can set this to any rule action except Allow. |
The rule group rule action settings are Challenge for
token absent and CAPTCHA for high volume traffic from a
single client session. You can set either of these rules to any valid rule action. |
| Resiliency against highly distributed attacks | Medium - 10,000 IP address maximum for IP address limiting on its own | Medium - limited to 50,000 total between IP addresses and tokens |
| AWS WAF Pricing |
Included in the standard fees for AWS WAF. | Included in the fees for the targeted level of Bot Control intelligent threat mitigation. |
| For more information | Using rate-based rule statements in AWS WAF | AWS WAF Bot Control rule group |
