AWS waf documentation change
Summary
Added ASN and ASN-in-header aggregation options with security caveats
Security assessment
Introduces ASN-based rate-limiting options and warns about proxy risks, enhancing security documentation.
Diff
diff --git a/waf/latest/developerguide/waf-rule-statement-type-rate-based-aggregation-options.md b/waf/latest/developerguide/waf-rule-statement-type-rate-based-aggregation-options.md index 5e5a56ca6..cc346bb73 100644 --- a//waf/latest/developerguide/waf-rule-statement-type-rate-based-aggregation-options.md +++ b//waf/latest/developerguide/waf-rule-statement-type-rate-based-aggregation-options.md @@ -26,0 +27,8 @@ Use caution with this option, because headers can be handled inconsistently by p + * **ASN** – Aggregate using an Autonomous System Number (ASN) associated with the source IP address as an aggregate key. This might not be the address of the originating client. If a web request goes through one or more proxies or load balancers, this contains the address of the last proxy. + +If AWS WAF can’t derive an ASN from the IP address, it counts the ASN as ASN 0\. If you don't want to apply rate limiting to unmapped ASNs, you can create a scope-down rule that excludes requests with ASN 0. + + * **ASN in header** – Aggregate using an ASN associated with a client IP address in an HTTP header. This is also referred to as a forwarded IP address. With this configuration, you also specify a fallback behavior to apply to a web request with an invalid or malformed IP address. The fallback behavior sets the matching result for the request, to match or no match. If you set the fallback behavior to match in the forwarded IP configuration, AWS WAF treats the invalid IP address as a matching value. This allows AWS WAF to continue evaluating any remaining parts of your rate-based rule's composite key. For no match, the rate-based rule doesn't count or rate limit the request. + +Use caution with this option, as headers can be handled inconsistently by proxies and they can be modified to bypass inspection. For additional information and best practices, see [Using forwarded IP addresses in AWS WAF](./waf-rule-statement-forwarded-ip-address.html). +