Refer to the Exhibit.
— Exhibit –[edit security]
user@srx# show idp
…
application-ddos Webserver {
service http;
connection-rate-threshold 1000;
context http-get-url {
hit-rate-threshold 60000;
value-hit-rate-threshold 30000;
time-binding-count 10;
time-binding-period 25;
}
}
— Exhibit –You are using AppDoS to protect your network against a bot attack, but noticed an approved
application has falsely triggered the configured IDP action of drop. You adjusted your AppDoS
configuration as shown in the exhibit. However, the approved traffic is still dropped.
What are two reasons for this behavior? (Choose two.)
A.
The approved traffic results in 50,000 HTTP GET requests per minute.
B.
The approved traffic results in 25 HTTP GET requests within 10 seconds from a single host.
C.
The active IDP policy has not been defined in the security configuration.
D.
The IDP action is still in effect due to the timeout configuration.
Explanation:
Reference:http://www.juniper.net/techpubs/software/junos-security/junos-security10.0/junossecurity-swconfig-security/appddos-protection-overview.html
http://www.juniper.net/techpubs/software/junos-security/junos-security10.0/junos-securityswconfig-security/appddos-proctecting-against.html#appddos-proctecting-against
AJSEC book part 1 chapter 2 page 50
1- HTTP service is monitored
2- once the connection rate threshold exceeds 1000 connections per second , stage 2 (protocol profiling) is emplotyed
3- hit-rate-threshold >> for heavy hitters
value-hit-rate-threshold >> for random hitters (answer A)
4- a single host needs to request the http-get-url context 10 times in a 25 second period to be classified as a malicious bot client. (so answer B is wrong)
and answer D regarding the ip-action timeout in the idp policy rule .
0
0
A, C
0
0
AD 100%
0
0