Click the Exhibit button. — Exhibit — — Exhibit — You are using AppDoS to protect your
network against a bot attack, but noticed an approved application has falsely triggered the
configured IDP action of drop. You adjusted your AppDoS configuration as shown in the
exhibit. However, the approved traffic is still dropped. What are two reasons for this
behavior? (Choose two.)
A.
The approved traffic results in 50,000 HTTP GET requests per minute.
B.
The IDP action is still in effect due to the timeout configuration.
C.
The approved traffic results in 25 HTTP GET requests within 10 seconds from a single
host.
D.
The active IDP policy has not been defined in the security configuration.
The correct answers are B and D.
For A -> where in the config is the mentioned 50 000 ?
For C -> it is incorrect, as the config talks about 10 connections within 25 seconds.
A tick is defined as 60 seconds by default.
http://stage.juniper.net/techpubs/en_US/junos12.1×44/topics/reference/configuration-statement/security-edit-value-hit-rate-threshold.html
AJSEC book part 1 chapter 2 page 50
1- HTTP service is monitored
2- once the connection rate threshold exceeds 1000 connections per second , stage 2 (protocol profiling) is emplotyed
3- hit-rate-threshold >> for heavy hitters
value-hit-rate-threshold >> for random hitters (answer A)
4- a single host needs to request the http-get-url context 10 times in a 25 second period to be classified as a malicious bot client. (so answer C is wrong)
The default timeout value for IP actions is 0, which means that IP actions are never timed out.
https://www.juniper.net/documentation/en_US/junos12.3×48/topics/concept/idp-policy-rule-understanding.html
AB correct
ab