Forum Discussion
DoS Profile - URL Detection criteria question
Hello,
My question is related to the way the F5 detects a DoS when we use the URL detection criteria under the TPS-based anomaly. When calculating the TPS, does it have into account the source IP or it just adds the total of requests for the same URL? From my understanding, if the engine sums all the requests for a URL and the thresholds are reached, then it will start blocking not only the attacker but also legitimate traffic, is this the expected behaviour?
On the other hand, how does the DoS engine detect that an attack has finished?
Thanks.
1 Reply
- Richard__HarlanHistoric F5 AccountWhat I think is happening is the http::retry is causing a new LB choice to be made. The selection of the pool is happening before the HTTP::retry, so when it run it goes to the end of the iRule and then falls through to the default pool.
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com