Learn F5 Technologies, Get Answers & Share Community Solutions Join DevCentral

Filter by:
  • Solution
  • Technology
Answers

ASM DoS detection

Does it mean that DoS would be detected if requests per source IP reached to 200 per second? What's the significance of 40 tps here?

Image Text

0
Rate this Question

Answers to this Question

placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

Hi f5rocks,

The ASM DoS feature measures the TPS every 10 seconds and calculates the average for the past hour.

DoS will be detected when an absolute TPS value of 200 is reached, but also when an absolute TPS value of 40 is reached AND an increase of 500% is detected.

Example:

  • Average TPS: 75 (for the past hour)
  • Last TPS measured: 600
  • TPS increased by: ((600 - 75) / 75) * 100 = 700%

Based on your screenshot DoS will be detected because TPS increased by 700% (> 500%) and absolute value is 600 TPS (> 40 TPS).

Leon

0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

Thanks. But if last TPS is600, doesn't DoS will be detected immediately as it's higher than absolute threshold (200 TPS). My point was if both values come to same TPS rate (i.e increased TPS% or absolute Threshold) so not sure why two conditions are given. Also hope as name suggests these are for single source IP.

0