How much threshold should i give to set rate-limiting rule using AWS WAF for a frontend application?

Question

I want to create a Rate limiting AWS WAF rule for my frontend application, I don't know how much threshold should I need to give because when page loads there is around 50 internal calls happening. Say 5000 people opening my site at a same time, there will 5000*50, but I should not set 2,50,000. Then how should I set the rate limiting threshold for frontend applications?

I have tried putting 100 as threshold in my rate limiting. So if I refresh thrice within 5mins period, it should block the site, but I was able to make multiple calls to that site which is more than 50 in 5mins period, Then how these threshold is calculated for frontend applications?

Answer 1

The WAF should be applying the thresholds per IP address, so 5000 people is 5000 different IPs. When you refresh many times, your browser cache should also reduce the number of hits to your origin also. The limits AFAIK are per second, but it might be reporting every 5 mins.

Answer 2

The limits are per IP address per five minute window. So as Tobin said, 5,000 people most likely = 5,000 different IP addresses. Your rate limit should be based on how many requests each unique IP needs to make in a five minute period.

Once you have a rate you'd like to test, one way you can tune it is to set the rule in count mode, then see if it was exceeded and how often using CloudWatch metrics. If you're using CloudFront this workflow is built into the security dashboard at no additional cost.

Take a look at Figure 3 and Figure 4 in this AWS blog post for details - https://aws.amazon.com/blogs/networking-and-content-delivery/introducing-cloudfront-security-dashboard-a-unified-cdn-and-security-experience/