How do I use AWS WAF to block HTTP requests that don't contain a User-Agent header?

5 minute read
0

I want to restrict HTTP requests that don't contain a specific User-Agent or contain a specific User-Agent header value in the request.

Short description

By default, AWS WAF filters don't check whether the HTTP request parameters are present or not. To check whether the HTTP request parameters are present or not, do the following:

Block requests that don't contain a User-Agent header using AWS Managed Rules.

-or-

Block requests that don't contain a User-Agent header or block traffic if the requests contain a specific User-Agent using custom rules.

Resolution

Block requests that don’t contain a User-Agent header using AWS Managed Rules

Use AWS Managed Rules for AWS WAF to block HTTP requests that don't contain a User-Agent header without having to write your own rules.

Note: Managed Rules are subject to version changes and expiration. For more information, see Best practices for handling managed rule group versions.

The following rules inspect requests missing the HTTP User-Agent header and User-Agent strings that don't seem to be from a web browser:

NoUserAgent_HEADER
This rule is from the Core rule set (CRS) managed rule group. This rule inspects for requests that are missing the HTTP User-Agent header.

SignalNonBrowserUserAgent
This rule is from the AWS WAF Bot Control rule group. This rule inspects for User-Agent strings that don't seem to be from a web browser including requests with no User-Agent.

To add an AWS Managed Rule group to your web ACL

  1. Open the AWS WAF console.
  2. In the navigation pane, under AWS WAF, choose Web ACLs.
  3. For Region, choose the AWS Region where you created your web ACL.
    Note: Select Global if your web ACL is set up for Amazon CloudFront.
  4. Select your web ACL.
  5. Choose Rules, and then choose Add Rules. Select Add managed rule groups from the dropdown.
  6. Expand the AWS managed rule groups section.
  7. Locate the rule group and turn on Add to web ACL.
    For example, you can turn on Add to web ACL for Core rule set that contains the NoUserAgent_HEADER rule.
  8. (Optional) Choose Edit to view and modify the settings for the rule group.
  9. Choose Add rules.
  10. Choose Save.

To edit an existing AWS Managed Rule group in your web ACL

  1. Open the AWS WAF console.
  2. In the navigation pane, under AWS WAF, choose Web ACLs.
  3. For Region, choose the AWS Region where you created your web ACL.
    Note: Select Global if your web ACL is set up for Amazon CloudFront.
  4. Select your web ACL.
  5. Choose Rules, and then choose Edit to view and modify the settings.
    Note: For additional information on editing settings, see Working with managed rule groups.
  6. When you finish editing, choose Save.

If you get false-positive scenarios with AWS Managed Rules rule groups, see AWS Managed Rules for AWS WAF.

Block requests that don’t contain a User-Agent header using custom rules

To block requests that don't contain a User-Agent header using a custom rule, do the following:

  1. Open the AWS WAF console.
  2. In the navigation pane, under AWS WAF, choose Web ACLs.
  3. For Region, select the AWS Region where you created your web ACL.
    Note: Select Global if your web ACL is set up for Amazon CloudFront.
  4. Select your web ACL.
  5. Choose Rules, and then choose Add Rules, Add my own rules and rule groups.
  6. Choose Rule Builder for the Rule type.
  7. For Name, enter a name to identify this rule.
  8. For Type, choose Regular rule.
  9. For If a request, choose doesn't match the statement (NOT).
  10. On Statement, for Inspect, choose Single header.
    For Header field name, enter a name for the field. For example: User-Agent.
    For Match type, choose Size greater than.
    For Size in bytes, enter 0 (zero).
    (Optional) Choose a Text transformation or choose None.
  11. For Action, choose Block.
  12. Choose Add Rule.
  13. (Optional) For Set Rule Priority, select your rule and move its priority. The rules are processed in the order that they appear. For more information, see Processing order of rules and rule groups in a web ACL.
  14. Choose Save.

Block traffic if the requests contain a specific User-Agent using custom rules

To block traffic if the requests contain a specific User-Agent using a custom rule, do the following:

  1. Open the AWS WAF console.
  2. In the navigation pane, under AWS WAF, choose Web ACLs.
  3. For Region, select the AWS Region where you created your web ACL.
    Note: Select Global if your web ACL is set up for Amazon CloudFront.
  4. Select your web ACL.
  5. Choose Rules, and then choose Add Rules, Add my own rules and rule groups.
  6. Choose Rule Builder for the Rule type.
  7. For Name, enter a name to identify this rule.
  8. For Type, choose Regular rule.
  9. For If a request, choose matches a statement.
  10. On Statement, for Inspect, choose Single header.
    For Header field name, enter a name for the field. For example: User-Agent.
    For Match type, choose Contains string.
    For String to match, enter the value for your specific User-Agent to block.
    (Optional) Choose a Text transformation or choose None.
  11. For Action, choose Block.
  12. Choose Add Rule.
  13. (Optional) For Set Rule Priority, select your rule and move its priority. The rules are processed in the order that they appear. For more information, see Processing order of rules and rule groups in a web ACL.
  14. Choose Save.

AWS OFFICIAL
AWS OFFICIALUpdated 2 years ago