Thresholding without the Threshold KW (AWS Limitations)

Unfortunately, AWS Firewall doesn’t support a few things, including Thresholding.

I was hoping to limit the number of times a certain UDP server query can be used within X time frame. Say Max 10 times in 10 seconds. But I just discovered the AWS network firewall doesn’t support it. Can anyone think of a workaround or another way to achieve something close to this? Below is the rule I was hoping to have used.

drop udp $EXTERNAL_NET any → $HOME_NET any (msg:“10 pings per 10 seconds”;content:“TSource|20|Engine|20|Query”;depth:20;offset:4;threshold:type threshold,track: by_dst, count 10, seconds 10;classtype:policy-violation;sid:001;rev:1;metadata:created_at 2022_11_18,updated_at 2022_11_18;)

Assuming that you are not referring to the ddos case and those packets are happening within the same flow (same 5 tuples, same stream),
The best thing that I can think of in aws (assuming this is supported) is to use flowints example:

Rule section: flowint: udppackets, +, 1; flowint: udppackets, >, 10;

In the above you count the number of rule triggers within a stream till it reaches 10, and then action is taken.

This is however is dependent on how aws do load balancing between different suricata instances running.

More info: 6.10. Flow Keywords — Suricata 6.0.3 documentation


yeah this option isn’t bad, but we type of problem we are currently dealing with has millions of unique IPs, so we really need to block on the overall total rather than for a single IP. As usually, IPs are unique in the current attack we are facing. Hence we’re looking into using suricata outside of AWS firewall on a dedicated machine!