For Latency Based Dos Protection, an attack needs to be suspicious first, before the detection criteria is applied. So what
this means:
IP Criteria:
An attacker comes in from ip:1.1.1.1 and sends 201 requests per second.
The ASM considers him suspicious, and applies the detection criteria against him.
If the latency to the servers has increased by 500% (based on historical polling), or latency has reached a certain ms
(higher than the minimum set) it will consider the IP an Attack and enter prevention.
This allows the ASM to more finely define what it considers a Dos. If you have a server farm with 10 gig pipes, 400
requests per second are not going to cause it an issue.
URL Criteria:
Consider for example large retailers. If Jungle.com/buy/checkout suddenly got 1200 requests per second, it would enter
the suspicious criteria. But, with large pipes to the server farm, the latency barely jumps ms. It's not an attack, just
hordes of shoppers trying to get that cyber monday deal.
Hope this helps
Josh