Unfortunately, AWS Firewall doesn’t support a few things, including Thresholding.
I was hoping to limit the number of times a certain UDP server query can be used within X time frame. Say Max 10 times in 10 seconds. But I just discovered the AWS network firewall doesn’t support it. Can anyone think of a workaround or another way to achieve something close to this? Below is the rule I was hoping to have used.
drop udp $EXTERNAL_NET any → $HOME_NET any (msg:“10 pings per 10 seconds”;content:“TSource|20|Engine|20|Query”;depth:20;offset:4;threshold:type threshold,track: by_dst, count 10, seconds 10;classtype:policy-violation;sid:001;rev:1;metadata:created_at 2022_11_18,updated_at 2022_11_18;)
Assuming that you are not referring to the ddos case and those packets are happening within the same flow (same 5 tuples, same stream),
The best thing that I can think of in aws (assuming this is supported) is to use flowints example:
yeah this option isn’t bad, but we type of problem we are currently dealing with has millions of unique IPs, so we really need to block on the overall total rather than for a single IP. As usually, IPs are unique in the current attack we are facing. Hence we’re looking into using suricata outside of AWS firewall on a dedicated machine!