**Introducing a new console experience for AWS WAF**
You can now use the updated experience to access AWS WAF functionality anywhere in the console. For more details, see [Working with the console](https://docs.aws.amazon.com/waf/latest/developerguide/working-with-console.html).
# Rate-based rule examples in AWS WAF
This section describes example configurations for a variety of common rate-based rules use cases.
Each example provides a description of the use case and then shows the solution in JSON listings for the custom configured rules.
**Note**
The JSON listings shown in these examples were created in the console by configuring the rule and then editing it using the **Rule JSON editor**.
**Topics**
+ [Rate limit the requests to a login page](waf-rate-based-example-limit-login-page.md)
+ [Rate limit the requests to a login page from any IP address, user agent pair](waf-rate-based-example-limit-login-page-keys.md)
+ [Rate limit the requests that are missing a specific header](waf-rate-based-example-limit-missing-header.md)
+ [Rate limit the requests with specific labels](waf-rate-based-example-limit-labels.md)
+ [Rate limit the requests for labels that have a specified label namespace](waf-rate-based-example-limit-label-aggregation.md)
+ [Rate limit the requests with specific ASNs](waf-rate-based-example-limit-asn.md)
# Rate limit the requests to a login page
To limit the number of requests to the login page on your website without affecting traffic to the rest of your site, you could create a rate-based rule with a scope-down statement that matches requests to your login page and with the request aggregation set to **Count all**.
The rate-based rule will count all requests for the login page in a single aggregation instance and apply the rule action to all requests matching the scope-down statement when the requests exceed the limit.
The following JSON listing shows an example of this rule configuration. The count all aggregation option is listed in the JSON as the setting `CONSTANT`. This example matches login pages that start with `/login`.
```
{
"Name": "test-rbr",
"Priority": 0,
"Action": {
"Block": {}
},
"VisibilityConfig": {
"SampledRequestsEnabled": true,
"CloudWatchMetricsEnabled": true,
"MetricName": "test-rbr"
},
"Statement": {
"RateBasedStatement": {
"Limit": 1000,
"EvaluationWindowSec": 300,
"AggregateKeyType": "CONSTANT",
"ScopeDownStatement": {
"ByteMatchStatement": {
"FieldToMatch": {
"UriPath": {}
},
"PositionalConstraint": "STARTS_WITH",
"SearchString": "/login",
"TextTransformations": [
{
"Type": "NONE",
"Priority": 0
}
]
}
}
}
}
}
```
# Rate limit the requests to a login page from any IP address, user agent pair
To limit the number of requests to the login page on your website for IP address, user agent pairs that exceed your limit, set the request aggregation to **Custom keys** and provide the aggregation criteria.
The following JSON listing shows an example of this rule configuration. In this example, we've set the limit to 100 requests in any five minute period per IP address, user agent pair.
```
{
"Name": "test-rbr",
"Priority": 0,
"Action": {
"Block": {}
},
"VisibilityConfig": {
"SampledRequestsEnabled": true,
"CloudWatchMetricsEnabled": true,
"MetricName": "test-rbr"
},
"Statement": {
"RateBasedStatement": {
"Limit": 100,
"EvaluationWindowSec": 300,
"AggregateKeyType": "CUSTOM_KEYS",
"CustomKeys": [
{
"Header": {
"Name": "User-Agent",
"TextTransformations": [
{
"Priority": 0,
"Type": "NONE"
}
]
}
},
{
"IP": {}
}
],
"ScopeDownStatement": {
"ByteMatchStatement": {
"FieldToMatch": {
"UriPath": {}
},
"PositionalConstraint": "STARTS_WITH",
"SearchString": "/login",
"TextTransformations": [
{
"Type": "NONE",
"Priority": 0
}
]
}
}
}
}
}
```
# Rate limit the requests that are missing a specific header
To limit the number of requests that are missing a specific header, you can use the **Count all** aggregation option with a scope-down statement. Configure the scope-down statement with a logical `NOT` statement containing a statement that returns true only if the header exists and has a value.
The following JSON listing shows an example of this rule configuration.
```
{
"Name": "test-rbr",
"Priority": 0,
"Action": {
"Block": {}
},
"VisibilityConfig": {
"SampledRequestsEnabled": true,
"CloudWatchMetricsEnabled": true,
"MetricName": "test-rbr"
},
"Statement": {
"RateBasedStatement": {
"Limit": 1000,
"AggregateKeyType": "CONSTANT",
"EvaluationWindowSec": 300,
"ScopeDownStatement": {
"NotStatement": {
"Statement": {
"SizeConstraintStatement": {
"FieldToMatch": {
"SingleHeader": {
"Name": "user-agent"
}
},
"ComparisonOperator": "GT",
"Size": 0,
"TextTransformations": [
{
"Type": "NONE",
"Priority": 0
}
]
}
}
}
}
}
}
}
```
# Rate limit the requests with specific labels
To limit the number of requests of various categories, you can combine rate limiting with any rule or rule group that add labels to requests. To do this, you configure your protection pack (web ACL) as follows:
+ Add the rules or rule groups that add labels, and configure them so that they don't block or allow the requests that you want to rate limit. If you use managed rule groups, you might need to override some rule group rule actions to Count to achieve this behavior.
+ Add a rate-based rule to your protection pack (web ACL) with a priority number setting that is higher than the labeling rules and rule groups. AWS WAF evaluates rules in numeric order, starting from the lowest, so your rate-based rule will run after the labeling rules. Configure your rate limiting on the labels using a combination of label matching in the rule's scope-down statement and label aggregation.
The following example uses the Amazon IP reputation list AWS Managed Rules rule group. The rule group rule `AWSManagedIPDDoSList` detects and labels requests whose IPs are known to be actively engaging in DDoS activities. The rule's action is configured to Count in the rule group definition. For more information about the rule group, see [Amazon IP reputation list managed rule group](aws-managed-rule-groups-ip-rep.md#aws-managed-rule-groups-ip-rep-amazon).
The following protection pack (web ACL) JSON listing uses the IP reputation rule group followed by a label-matching rate-based rule. The rate-based rule uses a scope-down statement to filter for requests that have been marked by the rule group rule. The rate-based rule statement aggregates and rate limits the filtered requests by their IP addresses.
```
{
"Name": "test-web-acl",
"Id": ...
"ARN": ...
"DefaultAction": {
"Allow": {}
},
"Description": "",
"Rules": [
{
"Name": "AWS-AWSManagedRulesAmazonIpReputationList",
"Priority": 0,
"Statement": {
"ManagedRuleGroupStatement": {
"VendorName": "AWS",
"Name": "AWSManagedRulesAmazonIpReputationList"
}
},
"OverrideAction": {
"None": {}
},
"VisibilityConfig": {
"SampledRequestsEnabled": true,
"CloudWatchMetricsEnabled": true,
"MetricName": "AWS-AWSManagedRulesAmazonIpReputationList"
}
},
{
"Name": "test-rbr",
"Priority": 1,
"Statement": {
"RateBasedStatement": {
"Limit": 100,
"EvaluationWindowSec": 300,
"AggregateKeyType": "IP",
"ScopeDownStatement": {
"LabelMatchStatement": {
"Scope": "LABEL",
"Key": "awswaf:managed:aws:amazon-ip-list:AWSManagedIPDDoSList"
}
}
}
},
"Action": {
"Block": {}
},
"VisibilityConfig": {
"SampledRequestsEnabled": true,
"CloudWatchMetricsEnabled": true,
"MetricName": "test-rbr"
}
}
],
"VisibilityConfig": {
"SampledRequestsEnabled": true,
"CloudWatchMetricsEnabled": true,
"MetricName": "test-web-acl"
},
"Capacity": 28,
"ManagedByFirewallManager": false,
"RetrofittedByFirewallManager": false,
"LabelNamespace": "awswaf:0000000000:webacl:test-web-acl:"
}
```
# Rate limit the requests for labels that have a specified label namespace
**Note**
The common level rules in the Bot Control managed rule group add labels for bots of various categories, but they only block requests from unverified bots. For information about these rules, see [Bot Control rules listing](aws-managed-rule-groups-bot.md#aws-managed-rule-groups-bot-rules).
If you use the Bot Control managed rule group, you can add rate limiting for requests from individual verified bots. To do this, you add a rate-based rule that runs after the Bot Control rule group and aggregates requests by their bot name labels. You specify the **Label namespace** aggregation key and set the namespace key to `awswaf:managed:aws:bot-control:bot:name:`. Each unique label with the specified namespace will define an aggregation instance. For example, the labels `awswaf:managed:aws:bot-control:bot:name:axios` and `awswaf:managed:aws:bot-control:bot:name:curl` each define an aggregation instance.
The following protection pack (web ACL) JSON listing shows this configuration. The rule in this example limits requests for any single bot aggregation instance to 1,000 in a two minute period.
```
{
"Name": "test-web-acl",
"Id": ...
"ARN": ...
"DefaultAction": {
"Allow": {}
},
"Description": "",
"Rules": [
{
"Name": "AWS-AWSManagedRulesBotControlRuleSet",
"Priority": 0,
"Statement": {
"ManagedRuleGroupStatement": {
"VendorName": "AWS",
"Name": "AWSManagedRulesBotControlRuleSet",
"ManagedRuleGroupConfigs": [
{
"AWSManagedRulesBotControlRuleSet": {
"InspectionLevel": "COMMON"
}
}
]
}
},
"OverrideAction": {
"None": {}
},
"VisibilityConfig": {
"SampledRequestsEnabled": true,
"CloudWatchMetricsEnabled": true,
"MetricName": "AWS-AWSManagedRulesBotControlRuleSet"
}
},
{
"Name": "test-rbr",
"Priority": 1,
"Statement": {
"RateBasedStatement": {
"Limit": 1000,
"EvaluationWindowSec": 120,
"AggregateKeyType": "CUSTOM_KEYS",
"CustomKeys": [
{
"LabelNamespace": {
"Namespace": "awswaf:managed:aws:bot-control:bot:name:"
}
}
]
}
},
"Action": {
"Block": {}
},
"VisibilityConfig": {
"SampledRequestsEnabled": true,
"CloudWatchMetricsEnabled": true,
"MetricName": "test-rbr"
}
}
],
"VisibilityConfig": {
"SampledRequestsEnabled": true,
"CloudWatchMetricsEnabled": true,
"MetricName": "test-web-acl"
},
"Capacity": 82,
"ManagedByFirewallManager": false,
"RetrofittedByFirewallManager": false,
"LabelNamespace": "awswaf:0000000000:webacl:test-web-acl:"
}
```
# Rate limit the requests with specific ASNs
To limit the number of requests from specific Autonomous System Numbers (ASNs) based on the IP address of the requests, set the request aggregation to *Custom keys* and provide the aggregation criteria.
The following JSON shows an example of a rule aggregating ASNs derived from forwarded IP addresses found in the `X-Forwarded-For` header. If AWS WAF can't derive an ASN because the IP address is malformed, the fallback behavior is set to `MATCH`.
```
{
"Name": "test-rbr",
"Priority": 0,
"Statement": {
"RateBasedStatement": {
"AggregateKeyType": "CUSTOM_KEYS",
"CustomKeys": [
{
"ASN": {}
},
{
"ForwardedIP": {}
}
],
"EvaluationWindowSec": 300,
"ForwardedIPConfig": {
"FallbackBehavior": "MATCH",
"HeaderName": "X-Forwarded-For"
},
"Limit": 2000
}
},
"VisibilityConfig": {
"CloudWatchMetricsEnabled": true,
"MetricName": "test-rbr",
"SampledRequestsEnabled": true
}
}
```