Transaction rate detection interval

A short-term average of recent requests per second (for a specific URL or from an
IP address) that is
updated every 10 seconds.
Note: The averages for IP address and URL counts are done for each site, that is,
for each virtual server
and associated DoS profile. If one virtual server has multiple DoS profiles
(implemented using a local
traffic policy), then each DoS profile has its own statistics within the context of
the virtual server.
Transaction rate history interval
A longer-term average of requests per second (for a specific URL or from an IP
address) calculated
for the past hour that is updated every 10 seconds.
If the ratio of the transaction rate detection interval to the transaction rate
during the history interval is
greater than the percentage indicated in the TPS increased by setting, the system
considers the web site
to be under attack, or the URL, IP address, or geolocation to be suspicious. In
addition, if the transaction
rate detection interval is greater than the TPS reached setting (regardless of the
history interval), then
again, the respective URL, IP address, or geolocation is suspicious or the site is
being attacked.
Note that TPS-based protection might detect a DoS attack simply because many users
are trying to access
the server all at once, such as during a busy time or when a new product comes out.
In this case, the
attack might be a false positive because the users are legitimate. But the
advantage of TPS-based DoS
protection is that attacks can be detected earlier than when using stress-based
protection. So it is
important to understand the typical maximum peak loads on your system when setting
up DoS protection,
and to use the methods that are best for your application.