Forum Discussion
ASM URL based rate limitation rates.
Please explain diff parameters used in Anomaly detection in ASM.
TPS increased by, TPS reached and Min TPS threshold. Are these parameters dependent on each other? Is history data relevant here? We did some tests to set the rates. During our testing we came across that unless we keep “TPS Increased by” to around 1000%, the history data kicks in and all traffic gets throttled.
What should be the idle rates for these. Lets suppose one of the application is getting genuine 5 requests/sec. We set rates to 1000%, 10 and 5 for TPS increased rate, TPS reched and Min TPS as of now.
- spalandeNacreous
We had set rates to 1000%, 10 and 5 for URL based limiting for TPS %, TPS reached and TPS min. During testing we sent 12tps/sec for 10 min and found with below results. after 1 min – F5 started request block till 1 min all the requests are processed. 2.In 10min duration , more number of request are rejected – Total request pumped is – 7250 Number of request rejected is – 3207(ideally it should reject 1200 request)
is this normal behaviour? Why F5 is rejecting more connections and why policy is getting triggered after 1 min. Pls help
- spalandeNacreous
Any ASM expert here? Pls respond!
- spalandeNacreous
Unfortunately no satisfactory answers. Only got response whatever information is there in ASM guidelines. They are seeing no unexpected behavior seen.
We had set below rates for URL based anomaly detection
TPS increased by 1000 % TPS reached 10 transactions per second Minimum TPS Threshold for detection 5 transactions per second
Queries are - 1) If requests are coming at 9 or 10 TPS rate, will those get throttled? 2) During our testing we pumped the request at 12 TPS rate, shouldn't F5 reject 2 req/Sec with above settings? 3) Tests shows if 12 TPS rate traffic is coming, 50% of requests get throttled? aren't these numbers crazy? Shouldn't F5 reject only 16% of traffic here?
- ltwagnonRet. Employee
I wrote an article a few months ago that outlined some of the concepts behind anomaly detection (session opening and session transaction). It includes a discussion on several things including TPS, min thresholds, etc. Here's the link to the article: https://devcentral.f5.com/articles/these-are-not-the-scrapes-youre-looking-for-session-anomalies.UmBMTLEo7IU
Let me know if this helps...if you need more info, I can dig into it a little more for you.
Thanks! John
- Dmitry_ShermanNimbostratus
Looks like all traffic is being throttled when an attack detected with "URL rate limiting" mitigation method enabled.
Logically only the violated IP should be limited. Or am I missing something?
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com