Learn F5 Technologies, Get Answers & Share Community Solutions Join DevCentral

Filter by:
  • Solution
  • Technology
Answers

L7 DoS Profile

I have what I think should be a couple of simple questions about L7 DoS profiles in ASM. I am running 11.5.3 HF2, and right now I have a couple of application configured with L7 DoS profiles doing TPS based detection and rate limiting for mitigation. It has been a while since these profiles were implemented I am looking to tune some of the settings and also use some of the new features that have been been put in place. I have read through the implementation guides, but there were a couple things I still wasn't real clear on.

  1. I see the settings for Escalation/De Escalation and it see that it for mitigation. So does that mean if I have Client Side Integrity and Rate Limiting turned on it will try the Integrity checks first for a period to mitigate and then proceed to rate limiting?

  2. In the Heavy URL protection I see there is auto detect. Can anyone tell me what it is using for criteria to detect Heavy URLs?

  3. This one is more experience based. Do you have a preference on Latency vs TPS based detection, and why?

Any help or advice is appreciated.

0
Rate this Question

Answers to this Question

placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

With respect to your first question, yes - all mitigation methods are tried sequentially - if the attack cannot be mitigated using the first method, ASM will move down the list of enabled mitigations.

For question #2, ASM tracks latency for all the URLs that traverse the policy. It uses a proprietary algorithm to compare latencies of individual URls across site-wide average latency and thus classify certain URLs as heavy based upon the URLs that frequently exhibit higher latency than others.

For question #3, I have always been a fan of latency-based approach as long as once knows what acceptable application latency is. TPS-only is great if you want to more proactively limit access to site/URLs above certain volume - but, typically, latency is the most accurate indicator of the backend application health and performance abilities.

0
Comments on this Answer
Comment made 12-Dec-2017 by Saddam ZEMMALI 108
0