F5 is upgrading its customer support chat feature on My.F5.com. Chat support will be unavailable from 6am-10am PST on 1/20/26. Refer to K000159584 for details.

Forum Discussion

InfoSec_38553's avatar
InfoSec_38553
Icon for Nimbostratus rankNimbostratus
Nov 26, 2011

ASM DoS attack - Latency options

Hi all,     I want to make sure if I'm understanding well Latency-based options in ASM.     There is Suspicious Criteria, IP Detection Criteria and URL Detection Criteria....
app sec
BIG-IP Access Policy Manager (APM)
security
jwham20's avatar
jwham20
Icon for Nimbostratus rankNimbostratus
Nov 29, 2011
For Latency Based Dos Protection, an attack needs to be suspicious first, before the detection criteria is applied. So what

 

this means:

 

 

IP Criteria:

 

An attacker comes in from ip:1.1.1.1 and sends 201 requests per second.

 

The ASM considers him suspicious, and applies the detection criteria against him.

 

If the latency to the servers has increased by 500% (based on historical polling), or latency has reached a certain ms

 

(higher than the minimum set) it will consider the IP an Attack and enter prevention.

 

 

This allows the ASM to more finely define what it considers a Dos. If you have a server farm with 10 gig pipes, 400

 

requests per second are not going to cause it an issue.

 

 

URL Criteria:

 

Consider for example large retailers. If Jungle.com/buy/checkout suddenly got 1200 requests per second, it would enter

 

the suspicious criteria. But, with large pipes to the server farm, the latency barely jumps ms. It's not an attack, just

 

hordes of shoppers trying to get that cyber monday deal.

 

 

Hope this helps

 

 

Josh