In order to mitigate highly distributed DoS attacks, such as those instigated using

large scale botnets

attacking multiple URLs, you can specify when to use site-wide mitigation in a DoS
profile. You can
configure site-wide mitigation for either TPS-based or stress-based DoS protection.
In this case, the
whole site can be considered suspicious as opposed to a particular URL or IP
address. Site-wide
mitigation goes into effect when the system determines that the whole site is
experiencing high-volume
traffic but is not able to pinpoint and handle the problem.
The system implements site-wide mitigation method only as a last resort because it
may cause the system
to drop legitimate requests. However, it maintains, at least partially, the
availability of the web site, even
when it is under attack. When the system applies site-wide mitigation, it is
because all other active
detection methods were unable to stop the attack.
The whole site is considered suspicious when configured thresholds are crossed, and
in parallel, specific
IP addresses and URLs could also be found to be suspicious. The mitigation
continues until the
maximum duration elapses or when the whole site stops being suspicious. That is,
there are no suspicious
URLs, no suspicious IP addresses, and the whole site is no longer suspicious