ASM URL based rate limitation rates.

We had set rates to 1000%, 10 and 5 for URL based limiting for TPS %, TPS reached and TPS min. During testing we sent 12tps/sec for 10 min and found with below results. after 1 min – F5 started request block till 1 min all the requests are processed. 2.In 10min duration , more number of request are rejected – Total request pumped is – 7250 Number of request rejected is – 3207(ideally it should reject 1200 request)

is this normal behaviour? Why F5 is rejecting more connections and why policy is getting triggered after 1 min. Pls help

Any ASM expert here? Pls respond!

Unfortunately no satisfactory answers. Only got response whatever information is there in ASM guidelines. They are seeing no unexpected behavior seen.

We had set below rates for URL based anomaly detection

TPS increased by 1000 % TPS reached 10 transactions per second Minimum TPS Threshold for detection 5 transactions per second

Queries are - 1) If requests are coming at 9 or 10 TPS rate, will those get throttled? 2) During our testing we pumped the request at 12 TPS rate, shouldn't F5 reject 2 req/Sec with above settings? 3) Tests shows if 12 TPS rate traffic is coming, 50% of requests get throttled? aren't these numbers crazy? Shouldn't F5 reject only 16% of traffic here?

I wrote an article a few months ago that outlined some of the concepts behind anomaly detection (session opening and session transaction). It includes a discussion on several things including TPS, min thresholds, etc. Here's the link to the article: https://devcentral.f5.com/articles/these-are-not-the-scrapes-youre-looking-for-session-anomalies.UmBMTLEo7IU

Let me know if this helps...if you need more info, I can dig into it a little more for you.

Thanks! John

Looks like all traffic is being throttled when an attack detected with "URL rate limiting" mitigation method enabled.

Logically only the violated IP should be limited. Or am I missing something?