For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

PowerShellDon_1's avatar
PowerShellDon_1
Icon for Nimbostratus rankNimbostratus
Oct 11, 2017

Rate limiting - one req per second?

Using ASM - DoS or iRules is it possible to limit one request per second per session? We've had pen testers in the past manage to send 200 requests simultaneously using Burp Sniper multi threaded to...
application delivery
ASM Advanced WAF
iRules
security
Simon_Blakely's avatar
Simon_Blakely
Icon for Employee rankEmployee
Oct 15, 2017

With ASM or AFM you can use Dos Profile settings...

Security ›› DoS Protection : DoS Profiles ›› Create New DoS Profile...

 Application Security ›› TPS-based DoS Detection
    TPS reached:  xxx transactions per second

You will need to experiment to determine appropriate values for these settings. If you enable DeviceID in your ASM policy, the client must support Javascript, and may be blocked if it does not do so (even for a policy in Alarm only or Transparent mode). You should also establish a baseline of acceptable traffic levels before trying to exceed TPS detection.

ASM Webscraping protection may also be of value ...

Security ›› Application Security : Anomaly Detection : Web Scraping