mm_pen_242283
Oct 26, 2016Nimbostratus
DOS protection: Source-IP based
Hi experts.
I have a DOS profile activated with "source-ip based" checked under Policy Prevention section. My understanding of "source-IP" mode of operation is that ASM only starts observing this client (as DOS candidate) after TPS reaches "Minimum TPS Threshold for detection". And statistics are calculated per each unique source-IP (hitting certain VS, where DOS policy is applied).
After reaching this threshold, ASM starts comparing average detection interval with history interval by dividing the two (for this same source-IP and not overall VS statistics).
Is my understanding correct? I am kindly asking for your elaboration or example on how ASM does the decision on DOS blocking (per source-IP).
Regards,