Forum Discussion
L7 DoS Profile
I have what I think should be a couple of simple questions about L7 DoS profiles in ASM. I am running 11.5.3 HF2, and right now I have a couple of application configured with L7 DoS profiles doing TPS based detection and rate limiting for mitigation. It has been a while since these profiles were implemented I am looking to tune some of the settings and also use some of the new features that have been been put in place. I have read through the implementation guides, but there were a couple things I still wasn't real clear on.
-
I see the settings for Escalation/De Escalation and it see that it for mitigation. So does that mean if I have Client Side Integrity and Rate Limiting turned on it will try the Integrity checks first for a period to mitigate and then proceed to rate limiting?
-
In the Heavy URL protection I see there is auto detect. Can anyone tell me what it is using for criteria to detect Heavy URLs?
-
This one is more experience based. Do you have a preference on Latency vs TPS based detection, and why?
Any help or advice is appreciated.
With respect to your first question, yes - all mitigation methods are tried sequentially - if the attack cannot be mitigated using the first method, ASM will move down the list of enabled mitigations.
For question 2, ASM tracks latency for all the URLs that traverse the policy. It uses a proprietary algorithm to compare latencies of individual URls across site-wide average latency and thus classify certain URLs as heavy based upon the URLs that frequently exhibit higher latency than others.
For question 3, I have always been a fan of latency-based approach as long as once knows what acceptable application latency is. TPS-only is great if you want to more proactively limit access to site/URLs above certain volume - but, typically, latency is the most accurate indicator of the backend application health and performance abilities.
- Saddam_ZEMMALI_Nimbostratus
- Michael_KoyfmanCirrocumulus
With respect to your first question, yes - all mitigation methods are tried sequentially - if the attack cannot be mitigated using the first method, ASM will move down the list of enabled mitigations.
For question 2, ASM tracks latency for all the URLs that traverse the policy. It uses a proprietary algorithm to compare latencies of individual URls across site-wide average latency and thus classify certain URLs as heavy based upon the URLs that frequently exhibit higher latency than others.
For question 3, I have always been a fan of latency-based approach as long as once knows what acceptable application latency is. TPS-only is great if you want to more proactively limit access to site/URLs above certain volume - but, typically, latency is the most accurate indicator of the backend application health and performance abilities.
- Saddam_ZEMMALI_Nimbostratus
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com