DDoS attack rules

I am under DDoS attack. I have created the following rules based upon my traffic analytics:

(ip.geoip.country eq “SG” and http.referer eq “” and http.user_agent eq “Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.0.0 Safari/537.36” and http.request.uri eq “/teachings” and ip.src.asnum eq 45102)

and

(any(http.request.headers[“x-requested-with”][*] contains “”) and http.request.full_uri contains “/teachings”)

It helps for a bit, then the traffic returns to previous levels. Does anyone have any suggestions for how to better format the rules?

Thanks!

The first rule is very specific so any small change in the traffic will render the rule useless as it won’t cope with the first “D” of “DDos”.

If it is an attack, just challenge on http.request.uri eq “/teachings” if that’s the target. Real users will mostly get through, attacks won’t. If you want to ease off, then start challenging by ASN instead. This will mostly be Cloud services so won’t have any real users, only bots. You can make exceptions for any known good bots that may come from them. Over time you will end up tuning the WAF as needed.

Thanks very much! This is very helpful.