Forum Discussion

Aslam_Patel's avatar
Aslam_Patel
Icon for Altostratus rankAltostratus
Sep 11, 2020

AWAF DDOS Profile

What is your AWAF/ASM DDOS profile? Have you enabled both TPS and Behavioural detection? are you using auto or manual Threshold mode? are profiles created in Common or app partition? can you please share your experience or best practices advise? Thanks

2 Replies

  • Regarding the DoS protection profile, recommended practices will depend on your security needs and understanding of your own traffic flows. Your first question involves collecting metrics which is the first step in the general flow of DoS protection. The goal is to identify bots and other suspicious clients based either on client-side transactions (HTTP requests) per second or on server stress (latency). For TPS, Advanced WAF can automatically set minimum and maximum transaction rates for Source IP, Device ID, Geolocation, URL, and site-wide sources. This is done by calculating a relative threshold for monitored traffic. Two data points are used to determine baseline activity: The first is the Transaction rate history interval which is the average number of requests per second sent. This number is the average number of transactions for the past hour, and is updated every 10 seconds. The second is the Transaction rate detection interval which is the average number of requests per second sent. This is the TPS value that triggers the attack mitigation. This value is calculated every 10 seconds. In most cases, the default values are accurate. If you have extensive knowledge of normal and abnormal traffic patterns then you can easily set your own values. The challenge in setting an accurate threshold for Device ID, Source IP and URL is that in each application there are different entities functioning at different rates of request-per-second traffic. For example, there may be a few URLs that receive a lot of traffic, but many of these might be accessed only once. A threshold that is good for a resource-intensive URL is lower than a less resource-intensive or “heavy” URL. 

     

    Persistent attackers will adjust tools, targets, sources, and attack volume to defeat static DoS defenses. Behavioral analysis protects the server from the first moment of the attack and then analyzes the attack tools, sources, and patterns to refine mitigations. Advanced WAF tracks and learns hundreds of request parameters before characterizing and then mitigating offending traffic. Behavioral DoS mitigation starts when server latency is detected and is not based on excess traffic only.  

     

    The DoS protection profile is assigned to a virtual server regardless of which partition the virtual server object resides in.