Options for rate limiting in rate-based rules and targeted Bot Control rules - Amazon WAF, Amazon Firewall Manager, and Amazon Shield Advanced
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Options for rate limiting in rate-based rules and targeted Bot Control rules

The targeted level of the Amazon WAF Bot Control rule group and the Amazon WAF rate-based rule statement both provide web request rate limiting. The following table compares the two options.

Comparison of options for rate-based detection and mitigation
Amazon WAF rate-based rule Amazon WAF Bot Control targeted rules
How rate limiting is applied Acts on groups of requests that are coming at too high a rate. You can apply any action except for Allow. Enforces human-like access patterns and applies dynamic rate limiting, through the use of request tokens.
Based on historical traffic baselines? No Yes
Time required to accumulate historic traffic baselines N/A Five minutes for dynamic thresholds. N/A for token absent.
Mitigation lag Usually 30-50 seconds. Can be up to several minutes. Usually less than 10 seconds. Can be up to several minutes.
Mitigation targets Configurable. You can group requests using a scope-down statement and by one or more aggregation keys, such as IP address, HTTP method, and query string. IP addresses and client sessions
Traffic volume level required to trigger mitigations Medium - can be as low as 100 requests in the specified time window Low - intended to detect client patterns such as slow scrapers
Customizable thresholds Yes No
Default mitigation action Console default is Block. No default setting in the API; the setting is required.

You can set this to any rule action except Allow.

The rule group rule action settings are Challenge for token absent and CAPTCHA for high volume traffic from a single client session.

You can set either of these rules to any valid rule action.

Resiliency against highly distributed attacks Medium - 10,000 IP address maximum for IP address limiting on its own Medium - limited to 50,000 total between IP addresses and tokens
Amazon WAF Pricing Included in the standard fees for Amazon WAF. Included in the fees for the targeted level of Bot Control intelligent threat mitigation.
For more information Rate-based rule statement Amazon WAF Bot Control rule group