---
title: ASE DoS and DDoS protection
description: Application Security Enforcer (ASE) flow control ensures that backend application programming interface (API) servers are protected from unplanned or malicious (for example, DDoS) surges in API traffic. Flow control combines client and backend server traffic control at an API level to protect REST and WebSocket API servers.
component: pingintelligence
version: 5.2
page_id: pingintelligence:pingintelligence_reference_guide:pingintelligence_ase_dos_ddos_protection
canonical_url: https://docs.pingidentity.com/pingintelligence/5.2/pingintelligence_reference_guide/pingintelligence_ase_dos_ddos_protection.html
revdate: April 3, 2024
section_ids:
  protection-for-rest-apis: Protection for REST APIs
  protection-for-websocket-apis: Protection for WebSocket APIs
---

# ASE DoS and DDoS protection

Application Security Enforcer (ASE) flow control ensures that backend application programming interface (API) *(tooltip: \<div class="paragraph">
\<p>A specification of interactions available for building software to access an application or service.\</p>
\</div>)* servers are protected from unplanned or malicious (for example, DDoS) surges in API traffic. Flow control combines client and backend server traffic control at an API level to protect REST and WebSocket API servers.

## Protection for REST APIs

* Client Rate Limiting – Protects against abnormally high traffic volumes from any client (for example, Denial-of-Service - DoS attack). By controlling inbound requests from REST API clients, client rate limiting protects API servers from being overloaded by a single client.

* Aggregate Server TCP Connection Limits – Prevents server overload from too many concurrent TCP connections across one or a cluster of ASE nodes. Restricts the total number of TCP connections allowed from a cluster of ASE nodes to a specific API on each server.

* Aggregate Server HTTP Request Limits – Prevents REST API server overload from too many concurrent HTTP request *(tooltip: \<div class="paragraph">
  \<p>A client transaction sent over HTTP to the server specifying a request method, such as GET, POST, and DELETE, to execute against a resource or resources on the server.\</p>
  \</div>)*s across one or a cluster of ASE nodes. Unlike traditional per node flow control, this implementation protects any REST API server from too much aggregate client traffic coming from a cluster of ASE nodes (for example, traffic load bursts or DDoS attacks).

* Client Request Queuing – Queues and retries REST API session requests when servers are busy.

## Protection for WebSocket APIs

* Client Rate Limiting – Protects against abnormally high traffic volumes from any client (for example, Denial-of-Service - DoS attack). By controlling the client HTTP requests and WebSocket traffic volumes, rate limiting protects API servers from being overloaded by a single client.

* Aggregate Server Connection Limits – Prevents server overload from too many simultaneous session connections across one or a cluster of ASE nodes. Restricts the total number of WebSocket sessions allowed from a cluster of ASE nodes to a specific API on each server.

* Outbound Rate Limiting – Protects against abnormally high traffic volumes to a client. By managing outbound traffic volumes to WebSocket clients, outbound rate limiting protects against exfiltration.

The following table lists the control functions which apply to each protocol.

|                           | REST API (HTTP/HTTPS)                                  | WebSocket and Secure WebSocket                         |
| ------------------------- | ------------------------------------------------------ | ------------------------------------------------------ |
| Client Spike Threshold    | ![A green check mark](../_images/gbt1564008995232.png) | ![A green check mark](../_images/gbt1564008995232.png) |
| Server Connection Quota   | ![A green check mark](../_images/gbt1564008995232.png) | ![A green check mark](../_images/gbt1564008995232.png) |
| Server Connection Queuing | ![A green check mark](../_images/gbt1564008995232.png) | ![A green check mark](../_images/gbt1564008995232.png) |
| Server Spike Threshold    | ![A green check mark](../_images/gbt1564008995232.png) | N/A                                                    |
| Bytes-in Threshold        | N/A                                                    | ![A green check mark](../_images/gbt1564008995232.png) |
| Bytes-out Threshold       | N/A                                                    | ![A green check mark](../_images/gbt1564008995232.png) |