How the ASM responds to a DoS attack depends on the Prevention Policy configuration:
- If you select 'Source IP-Based Rate Limiting', then only offending IP addresses are affected
- If you select 'Source IP-Based Client-Side Integrity Defense' then offending IP addresses will have their connections evaluated
Choosing either of the two methods above will allow you to configure the IP Detection Criteria values.
- If you select 'URL-Based Rate Limiting' then all connections made to a particular URL will be affected, including both normal and exploit related traffic.
- If you select 'URL-Based Client-Side Integrity Defense', then all connections to a particular URL will be evaluated, presumably affecting only those sessions coming from bots/scripts.
Choosing either of the two methods above will allow you to configure the URL Detection Criteria values.
'URL-Based Client-Side Integrity Defense' is your best choice if you are looking for Distributed DoS protection.