Skip to main content
Contact us
Atlassian sunsets Data Center in March 2029 - discover what's next for your organisation.
arrow icon

Infrastructure support team mitigates DDoS with AWS WAF and rate limits

When a UK infrastructure support team faced escalating DDoS attacks against their critical public web workload, traditional security approaches proved insufficient. Our data-driven AWS WAF solution transformed their vulnerability into comprehensive protection.
Person in front of arrow

Requirements at a glance

  • Protection against DDoS and application-layer attacks for public web workload
  • Maintain availability during traffic bursts up to 200,000 requests per 5 minutes
  • Minimise false positives through data-driven threshold setting
  • Eliminate the overhead of third-party security appliances
  • Enable the infrastructure team to manage and tune protections independently
Industry: IT operations and infrastructure support
Solution: AWS WAF with custom rate limiting
Result: Zero attack-related downtime achieved
Key metric: Zero security incidents post-implementation

Summary

A UK-based infrastructure support team needed robust DDoS protection for a high-traffic public web workload experiencing significant volumetric spikes. The challenge required balancing aggressive threat mitigation with legitimate traffic accommodation during peak periods.
Adaptavist implemented AWS WAF v2 with custom rate-based rules derived from real traffic analysis using ALB logs and Amazon Athena. Layered with AWS Managed Rules and integrated into CI/CD pipelines, the solution absorbed volumetric attacks without manual intervention while maintaining zero attack-related downtime.

The challenge

The infrastructure support team faced escalating DDoS threats against their public web workload, with each attack revealing new patterns that traditional network defences couldn't counter effectively.
Technical challenges
  • Volumetric attack management: Need to handle legitimate traffic bursts up to 200,000 requests per 5 minutes
  • Dynamic threat landscape: Attacks varied in patterns, requiring adaptive protection mechanisms
  • False positive prevention: Aggressive blocking could impact legitimate users during peak traffic periods
  • Resource constraint management: Attacks consumed infrastructure resources, affecting performance and costs
Operational requirements
The team required autonomous threat management capabilities without constant security specialist intervention. Traditional third-party appliances created operational overhead and additional infrastructure complexity.
Rapid response capabilities became essential, as the team needed tools and processes to adjust protection thresholds quickly as attack patterns evolved. The solution also needed to be integrated with existing DevOps workflows to maintain operational consistency.

The solution

Rather than deploying another traditional security appliance, we implemented AWS WAF v2 on their internet-facing application load balancer as the foundation for a sophisticated, data-driven DDoS protection strategy.
The breakthrough came from analysing the team's own traffic patterns. We utilised ALB access logs stored in Amazon S3, querying historical data through Amazon Athena to establish precise baseline thresholds and identify the signatures of abusive traffic.
This analytical approach revealed the difference between legitimate traffic spikes and attack patterns, enabling custom rate-based rules that accommodated genuine usage whilst effectively blocking volumetric attacks.
Two people in front of microscope
Following successful rate limit validation, we implemented AWS Managed Rule groups incrementally:
IP reputation intelligence: Leveraged AWS threat data for known malicious sources
WordPress protection: Targeted rules for common CMS vulnerabilities
SQL injection defence: Advanced database attack protection
Known bad inputs: Blocked recognised malicious input patterns
Common rule set: Comprehensive OWASP vulnerability coverage
Layered protection strategy
The implementation followed a rigorous three-environment progression designed to validate effectiveness without production risk.
Development validation: Each rule underwent testing against real traffic patterns in development environments, ensuring compatibility with application behaviour and identifying potential false positives.
Staging verification: Staged deployment provided final validation under production-like conditions, with comprehensive monitoring confirming rule effectiveness before production promotion.
Production rollout: Controlled production deployment with immediate monitoring and rollback capabilities ensured seamless transition to full protection whilst maintaining service availability.
Strategic deployment methodology
WAF configuration integrated directly into CI/CD pipelines, enabling rapid, controlled updates as threats evolved or requirements changed. This approach eliminated manual configuration drift whilst maintaining audit trails for all security changes.
Automated deployment processes ensured consistent configuration across environments, reducing operational overhead and human error potential.

Two people in front of padlock
The breakthrough came from analysing the team's own traffic patterns. We utilised ALB access logs stored in Amazon S3, querying historical data through Amazon Athena to establish precise baseline thresholds and identify the signatures of abusive traffic.
This analytical approach revealed the difference between legitimate traffic spikes and attack patterns, enabling custom rate-based rules that accommodated genuine usage whilst effectively blocking volumetric attacks.
Following successful rate limit validation, we implemented AWS Managed Rule groups incrementally:
IP reputation intelligence: Leveraged AWS threat data for known malicious sources
WordPress protection: Targeted rules for common CMS vulnerabilities
SQL injection defence: Advanced database attack protection
Known bad inputs: Blocked recognised malicious input patterns
Common rule set: Comprehensive OWASP vulnerability coverage
The implementation followed a rigorous three-environment progression designed to validate effectiveness without production risk.
Development validation: Each rule underwent testing against real traffic patterns in development environments, ensuring compatibility with application behaviour and identifying potential false positives.
Staging verification: Staged deployment provided final validation under production-like conditions, with comprehensive monitoring confirming rule effectiveness before production promotion.
Production rollout: Controlled production deployment with immediate monitoring and rollback capabilities ensured seamless transition to full protection whilst maintaining service availability.
WAF configuration integrated directly into CI/CD pipelines, enabling rapid, controlled updates as threats evolved or requirements changed. This approach eliminated manual configuration drift whilst maintaining audit trails for all security changes.
Automated deployment processes ensured consistent configuration across environments, reducing operational overhead and human error potential.

Two people in front of microscope
Layered protection strategy
Strategic deployment methodology
Two people in front of padlock
The breakthrough came from analysing the team's own traffic patterns. We utilised ALB access logs stored in Amazon S3, querying historical data through Amazon Athena to establish precise baseline thresholds and identify the signatures of abusive traffic.
This analytical approach revealed the difference between legitimate traffic spikes and attack patterns, enabling custom rate-based rules that accommodated genuine usage whilst effectively blocking volumetric attacks.
Two people in front of microscope
Following successful rate limit validation, we implemented AWS Managed Rule groups incrementally:
IP reputation intelligence: Leveraged AWS threat data for known malicious sources
WordPress protection: Targeted rules for common CMS vulnerabilities
SQL injection defence: Advanced database attack protection
Known bad inputs: Blocked recognised malicious input patterns
Common rule set: Comprehensive OWASP vulnerability coverage
Layered protection strategy
The implementation followed a rigorous three-environment progression designed to validate effectiveness without production risk.
Development validation: Each rule underwent testing against real traffic patterns in development environments, ensuring compatibility with application behaviour and identifying potential false positives.
Staging verification: Staged deployment provided final validation under production-like conditions, with comprehensive monitoring confirming rule effectiveness before production promotion.
Production rollout: Controlled production deployment with immediate monitoring and rollback capabilities ensured seamless transition to full protection whilst maintaining service availability.
Strategic deployment methodology
WAF configuration integrated directly into CI/CD pipelines, enabling rapid, controlled updates as threats evolved or requirements changed. This approach eliminated manual configuration drift whilst maintaining audit trails for all security changes.
Automated deployment processes ensured consistent configuration across environments, reducing operational overhead and human error potential.

Two people in front of padlock

The result and business impact

Our AWS WAF implementation delivered exceptional protection capabilities whilst significantly improving operational efficiency for the infrastructure support team.
DDoS protection performance
  • Zero attack-related downtime recorded during the observation period
  • Volumetric spike absorption up to 200,000 requests per 5 minutes without manual intervention
  • Comprehensive attack coverage across DDoS and application-layer threats
  • Minimal false positives through data-driven threshold setting
Operational transformation
The data-driven tuning approach using ALB logs and WAF metrics dramatically reduced false positives and ongoing manual effort. The infrastructure team gained autonomous management capabilities, safely adjusting protections through established CI/CD processes.
Comprehensive runbooks and knowledge transfer enabled rapid incident response and proactive threshold adjustment based on evolving traffic patterns.
Business value achievement
Cost optimisation: Native rate limiting and managed rules eliminated third-party security appliance requirements, reducing both licensing costs and operational complexity. Origin cost avoidance through early traffic throttling provided additional savings.
Enhanced availability: Successful attack mitigation maintained service availability during peak periods, directly supporting customer satisfaction and business continuity objectives.
Reduced on-call burden: Automated attack absorption reduced the infrastructure team's on-call incidents, improving work-life balance and operational efficiency.
Four people in front of light bulb

Key learnings and best practices

Data-driven configuration
chevron icon

Data-driven configuration

Production traffic analysis proved essential for accurate rate limit establishment. Initial thresholds based on real traffic patterns required iterative refinement as attack methods evolved and legitimate usage patterns changed.
ALB log analysis through Athena provided invaluable insights into traffic patterns, enabling precise threshold setting that balanced protection with user experience.

Incremental rule deployment

Starting new rules in count mode with comprehensive dashboard monitoring enabled confident transition to blocking mode. This approach prevented unexpected service disruption whilst validating rule effectiveness against real traffic.
Combining custom rate-based rules with managed rule groups created a defence-in-depth architecture that addressed both volumetric and sophisticated application-layer attacks.

Operational excellence framework

Regular scheduled reviews of WAF logs and CloudWatch alarms optimised rule performance and reduced false positives over time. This proactive approach maintained protection effectiveness whilst minimising operational overhead.
Comprehensive runbooks and team training enabled rapid response and autonomous tuning capabilities, reducing dependency on external security specialists.

Monitoring and response

CloudWatch integration provided real-time visibility into attack patterns and rule performance. Automated alerting enabled proactive response whilst detailed logging supported forensic analysis and continuous improvement.
Dashboard creation simplified complex security data into actionable insights for the infrastructure team, enabling informed decision-making during incidents.

Data-driven configuration

Production traffic analysis proved essential for accurate rate limit establishment. Initial thresholds based on real traffic patterns required iterative refinement as attack methods evolved and legitimate usage patterns changed.
ALB log analysis through Athena provided invaluable insights into traffic patterns, enabling precise threshold setting that balanced protection with user experience.

Incremental rule deployment

Starting new rules in count mode with comprehensive dashboard monitoring enabled confident transition to blocking mode. This approach prevented unexpected service disruption whilst validating rule effectiveness against real traffic.
Combining custom rate-based rules with managed rule groups created a defence-in-depth architecture that addressed both volumetric and sophisticated application-layer attacks.

Operational excellence framework

Regular scheduled reviews of WAF logs and CloudWatch alarms optimised rule performance and reduced false positives over time. This proactive approach maintained protection effectiveness whilst minimising operational overhead.
Comprehensive runbooks and team training enabled rapid response and autonomous tuning capabilities, reducing dependency on external security specialists.

Monitoring and response

CloudWatch integration provided real-time visibility into attack patterns and rule performance. Automated alerting enabled proactive response whilst detailed logging supported forensic analysis and continuous improvement.
Dashboard creation simplified complex security data into actionable insights for the infrastructure team, enabling informed decision-making during incidents.

Looking forward

This implementation showcases the power of data-driven security approaches in modern cloud environments. The combination of real traffic analysis with expert-maintained managed rules delivered sophisticated protection whilst maintaining operational simplicity.
The project's success demonstrates several critical principles for effective DDoS protection. Leveraging actual traffic data ensures protection thresholds align with genuine usage patterns, reducing false positives whilst maintaining security effectiveness.
Integration with existing DevOps practices ensures security controls evolve alongside application development, maintaining consistent protection without operational disruption or workflow interference.
Future enhancements will focus on machine learning integration for predictive threat detection and automated threshold adjustment based on traffic pattern analysis. Additional managed rule groups will provide expanded protection against emerging attack vectors whilst maintaining the data-driven approach that proved so effective.
Two people in front of telescope
AWS WAF

Protect your web applications with expert AWS WAF implementation

As an AWS WAF Delivery Partner, Adaptavist brings validated expertise in implementing security solutions that safeguard your applications from web exploits. With proven success and deep AWS expertise across the full spectrum of cloud services, our certified specialists help you build, secure, and optimise your entire AWS infrastructure with comprehensive solutions tailored to your business needs.
Discover our AWS solutions and expertisearrow icon

Need robust DDoS protection for your high-traffic applications? Let's discuss your security requirements

Contact Adaptavist today to discuss how we can help.
;