Application Security Enforcer (ASE) flow control ensures that backend API servers are protected from unplanned or malicious (for example, DDoS) surges in API traffic. Flow control combines client and backend server traffic control at an API level to protect REST and WebSocket API servers.
Protection for REST APIs
- Client Rate Limiting – Protects against abnormally high traffic volumes from any client (for example, Denial-of-Service - DoS attack). By controlling inbound requests from REST API clients, client rate limiting protects API servers from being overloaded by a single client.
- Aggregate Server TCP Connection Limits – Prevents server overload from too many concurrent TCP connections across one or a cluster of ASE nodes. Restricts the total number of TCP connections allowed from a cluster of ASE nodes to a specific API on each server.
- Aggregate Server HTTP Request Limits – Prevents REST API server overload from too many concurrent HTTP requests across one or a cluster of ASE nodes. Unlike traditional per node flow control, this implementation protects any REST API server from too much aggregate client traffic coming from a cluster of ASE nodes (for example, traffic load bursts or DDoS attacks).
- Client Request Queuing – Queues and retries REST API session requests when servers are busy.
Protection for WebSocket APIs
- Client Rate Limiting – Protects against abnormally high traffic volumes from any client (for example, Denial-of-Service - DoS attack). By controlling the client HTTP requests and WebSocket traffic volumes, rate limiting protects API servers from being overloaded by a single client.
- Aggregate Server Connection Limits – Prevents server overload from too many simultaneous session connections across one or a cluster of ASE nodes. Restricts the total number of WebSocket sessions allowed from a cluster of ASE nodes to a specific API on each server.
- Outbound Rate Limiting – Protects against abnormally high traffic volumes to a client. By managing outbound traffic volumes to WebSocket clients, outbound rate limiting protects against exfiltration.
The following table lists the control functions which apply to each protocol.
| REST API (HTTP/HTTPS) | WebSocket and Secure WebSocket | |
|---|---|---|
|
Client Spike Threshold |
|
|
|
Server Connection Quota |
|
|
|
Server Connection Queuing |
|
|
|
Server Spike Threshold |
|
N/A |
|
Bytes-in Threshold |
N/A |
|
|
Bytes-out Threshold |
N/A |
|