ASM L7 DoS email alert

Hi Nishal_Rai , 
For your inquiry about how bigip AWAD L7 DDoS use the rate-limit prevention.....

Well , 
First you have two concepts >>> Detection interval & historical interval 
Detection interval >>> Avg of TPS in last 10 sec
Historical interval >>> Avg of TPS in last 1 hour ( Which should be the Legitimate TPS ) 
Both of intervals updated each 10 sec. 

Bigip Rate-limit by using simple equation : ( Historical intrval TPS + Configured threshold ) /2 
For Example : 
If you configured absolute threshold >> 200 TPS ( Like diagram you have sent above ). 
and Let we assume historical intraval ( AVG TPS within hour ) >>> 100 TPS 
So Bigip will rate-limit to 150 TPS. 

Bigip will rate-limit if the TPS exceeded the absolute threshold , or if the ( Relative threshold + at least TPS ) violated. 

> btw , you can review it from logs when attack started you can observe the Limit which bigip used when this attack started. 
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>

What is the Rate-limit mechanism , I have tested it before I will tell you my findings >>> 
you have an option to record traffic in your AWAF DDOS profile , Bigip starts to record traffic ( Taking tcpdump ). 
while looking at recorded Packet capture ( when Attack started ) you will find much traffic receiving RST Packets from Bigip and some samples receive normal responses ( 200 OK ) therefore when using ( Rate-limit ) as a prevension method >>> much traffic will be Reseted from Bigip ip while some of these requests will path through  bigip normally. 

The Key difference between ( Block ALL and Rate limit ) >>> Block all will show you at Recorded Packet capture file when attack start >> All Traffic from specific source are reseted ( RST Flag enabled ) no traffic Path through bigip , in the other hand ( Rate-limit ) Like I discribed above. 

Let me know if you have further queries , I will be happy to think with you ^_^