Blocking a spam attack using WAF

Question

I have a website behind hosted on S3 behind the cloudfront. I get continuous spamming for couple of hours every evening. The spammer uses different IPs/subnets to launch the same. Going through the access logs, I can not identify any common pattern or special request origin. What kind of further digging is needed to create a WAF rule to avoid this. What is the maximum damage I am seeing here [apart from cloudfront transfer costs] ?

The IP's being used are from Amazon, which indicates that new instances or containers are being spun up to launch the same.

score 1 · Answer 1 · answered May 15 '19 at 21:16

1

Amazon publishes its IP address ranges, here. If you are not expecting traffic from AWS instances, you can either create a WAF rule that denies traffic from the IP address ranges, or create a viewer-request Lambda@Edge that does the same. Depending in the number of requests/amount of traffic, the Lambda may prove to be substantially more cost-effective.

answered May 15 '19 at 21:16

hephalump

5,860
1
22
23

1

perhaps file an abuse report as well with aws. – James Dean May 16 '19 at 07:49
Appreciate your inputs, I am exploring them both and trying to see if I can get any help from the same. – Ashav May 19 '19 at 13:55

Blocking a spam attack using WAF

1 Answers1