PingIntelligence

ASE DoS and DDoS protection

ASE flow control ensures that backend API servers are protected from unplanned or malicious (for example DDoS) surges in API traffic. flow control combines client and backend server traffic control at an API level to protect REST and WebSocket API servers.

Protection for REST APIs

  • Client Rate Limiting – Protects against abnormally high traffic volumes from any client (for example, Denial-of-Service - DoS attack). By controlling inbound requests from REST API clients, client rate limiting protects API servers from being overloaded by a single client.

  • Aggregate Server TCP Connection Limits – Prevents server overload from too many concurrent TCP connections across one or a cluster of ASE nodes. Restricts the total number of TCP connections allowed from a cluster of ASE nodes to a specific API on each server.

  • Aggregate Server HTTP Request Limits – Prevents REST API server overload from too many concurrent HTTP requests across one or a cluster of ASE nodes. Unlike traditional per node flow control, this implementation protects any REST API server from too much aggregate client traffic coming from a cluster of ASE nodes (for example, traffic load bursts, Distributed Denial-of-Service (DDoS) attacks).

  • Client Request Queuing – Queues and retries REST API session requests when servers are busy.

Protection for WebSocket APIs

  • Client Rate Limiting – Protects against abnormally high traffic volumes from any client (for example, Denial-of-Service - DoS attack). By controlling the client HTTP requests and WebSocket traffic volumes, rate limiting protects API servers from being overloaded by a single client.

  • Aggregate Server Connection Limits – Prevents server overload from too many simultaneous session connections across one or a cluster of ASE nodes. Restricts the total number of WebSocket sessions allowed from a cluster of ASE nodes to a specific API on each server.

  • Outbound Rate Limiting – Protects against abnormally high traffic volumes to a client. By managing outbound traffic volumes to WebSocket clients, outbound rate limiting protects against exfiltration.

The following table lists the control functions which apply to each protocol:

REST API (HTTP/HTTPS) WebSocket and Secure WebSocket

Client Spike Threshold

gbt1564008995232

gbt1564008995232

Server Connection Quota

gbt1564008995232

gbt1564008995232

Server Connection Queuing

gbt1564008995232

gbt1564008995232

Server Spike Threshold

gbt1564008995232

-NA-

Bytes-in Threshold

-NA-

gbt1564008995232

Bytes-out Threshold

-NA-

gbt1564008995232