I have what I think should be a couple of simple questions about L7 DoS profiles in ASM. I am running 11.5.3 HF2, and right now I have a couple of application configured with L7 DoS profiles doing TPS based detection and rate limiting for mitigation. It has been a while since these profiles were implemented I am looking to tune some of the settings and also use some of the new features that have been been put in place. I have read through the implementation guides, but there were a couple things I still wasn't real clear on.
I see the settings for Escalation/De Escalation and it see that it for mitigation. So does that mean if I have Client Side Integrity and Rate Limiting turned on it will try the Integrity checks first for a period to mitigate and then proceed to rate limiting?
In the Heavy URL protection I see there is auto detect. Can anyone tell me what it is using for criteria to detect Heavy URLs?
This one is more experience based. Do you have a preference on Latency vs TPS based detection, and why?
Any help or advice is appreciated.
With respect to your first question, yes - all mitigation methods are tried sequentially - if the attack cannot be mitigated using the first method, ASM will move down the list of enabled mitigations.
For question #2, ASM tracks latency for all the URLs that traverse the policy. It uses a proprietary algorithm to compare latencies of individual URls across site-wide average latency and thus classify certain URLs as heavy based upon the URLs that frequently exhibit higher latency than others.
For question #3, I have always been a fan of latency-based approach as long as once knows what acceptable application latency is. TPS-only is great if you want to more proactively limit access to site/URLs above certain volume - but, typically, latency is the most accurate indicator of the backend application health and performance abilities.
L7 DDoS vs. F5 ASM /DEMO