PingIntelligence

ASE DoS and DDoS protection

Application Security Enforcer (ASE) flow control ensures that backend application programming interface (API) servers are protected from unplanned or malicious (for example, DDoS) surges in API traffic. Flow control combines client and backend server traffic control at an API level to protect REST and WebSocket API servers.

Protection for REST APIs

  • Client Rate Limiting – Protects against abnormally high traffic volumes from any client (for example, Denial-of-Service - DoS attack). By controlling inbound requests from REST API clients, client rate limiting protects API servers from being overloaded by a single client.

  • Aggregate Server TCP Connection Limits – Prevents server overload from too many concurrent TCP connections across one or a cluster of ASE nodes. Restricts the total number of TCP connections allowed from a cluster of ASE nodes to a specific API on each server.

  • Aggregate Server HTTP Request Limits – Prevents REST API server overload from too many concurrent HTTP requests across one or a cluster of ASE nodes. Unlike traditional per node flow control, this implementation protects any REST API server from too much aggregate client traffic coming from a cluster of ASE nodes (for example, traffic load bursts or DDoS attacks).

  • Client Request Queuing – Queues and retries REST API session requests when servers are busy.

Protection for WebSocket APIs

  • Client Rate Limiting – Protects against abnormally high traffic volumes from any client (for example, Denial-of-Service - DoS attack). By controlling the client HTTP requests and WebSocket traffic volumes, rate limiting protects API servers from being overloaded by a single client.

  • Aggregate Server Connection Limits – Prevents server overload from too many simultaneous session connections across one or a cluster of ASE nodes. Restricts the total number of WebSocket sessions allowed from a cluster of ASE nodes to a specific API on each server.

  • Outbound Rate Limiting – Protects against abnormally high traffic volumes to a client. By managing outbound traffic volumes to WebSocket clients, outbound rate limiting protects against exfiltration.

The following table lists the control functions which apply to each protocol.

REST API (HTTP/HTTPS) WebSocket and Secure WebSocket

Client Spike Threshold

A green check mark
A green check mark

Server Connection Quota

A green check mark
A green check mark

Server Connection Queuing

A green check mark
A green check mark

Server Spike Threshold

A green check mark

N/A

Bytes-in Threshold

N/A

A green check mark

Bytes-out Threshold

N/A

A green check mark