I hope you're doing well. I have an interesting new problem - rapid attacks.
Web Firewall Logs is recording attacks where the IP targets the same URL, with the same request, multiple times per second. So maybe three (3) or more requests per second. To deal with some persistent attackers, I dropped the dynamic blacklist number so that the blacklist is triggered sooner. But there are instances where either the dynamic blacklist is not triggered soon enough, or it is overwhelmed, or it is triggered but too late to stop 1 or 2 additional hits...I'm not sure.
The point is that the logs show the first few requests, then in some cases the triggering of the dynamic blacklist, followed by 1-2 requests that are dynamically blocked. Or, the logs will show some number of requests over the amount that should trigger the dynamic blacklist, then the triggering of the blacklist.
I've experienced this now maybe 3-4 times in the past two months. I saw the previous post re dealing with multiple hits (that are not attacks) at the server level. I'm not sure if this is the same situation. If it is not, is there a way to control for frequency of attacks in a given time period?
I fear there is nothing to do here; we have the same situation that a server suffering a DdoS attack. This is not a bug but it's the normal behavior of a server processing all queries, so an attack like this must be stopped at server level.
Good news are that even in that situation all attacks are stopped by the firewall.