DoS Rate-Limit Drops Observed Despite Low Connection Rates on Analytics
search cancel

DoS Rate-Limit Drops Observed Despite Low Connection Rates on Analytics

book

Article ID: 411157

calendar_today

Updated On:

Products

VMware Avi Load Balancer

Issue/Introduction

  • In some cases, customers may observe DOS_CONN_RL_DROP events in the Virtual Service (VS) logs even though the Analytics page shows a relatively low connection rate (e.g., 40 connections/sec against a configured rate limit of 300). This may lead to confusion about why rate-limit drops are occurring.

Cause

 

  • The Rate-Limit (RL) mechanism acts on connection bursts immediately. Connections are dropped at the very beginning if the rate exceeds the configured threshold.

  • The "Conns/sec" metric in Analytics only reflects valid connections that passed the RL check. Dropped connections due to rate-limiting are not included in this metric.

  • For an event to be generated, the rate-limit exceed condition must persist across two DoS reporting intervals (5 seconds each, totaling 10 seconds) with at least the configured number of “Rate Limit Number of New TCP Connections” dropped in each interval.

  • The SE stats (connection_stats) average connection count over a 5-minute interval, which cannot be directly relied upon for short-lived bursts calculations.

 

Resolution

To confirm and calculate actual incoming connection rates:

  1. Use VS statistics fields to track growth over time:

    • connections_accepted + dos_conn_rl_drop = total incoming connections

    • Divide this value over a given time window to estimate the true incoming connections/sec.

  2. Example CLI outputs:

      
    show virtualservice VS_Name tcpstat
connections_accepted = 33070393 

show virtualservice VS_Name dosstat 
dos_conn_rl_drop = 1286116
       

  3. Monitor these counters over short time intervals to validate whether bursts are exceeding the configured rate limit, even if Analytics shows lower average values.

Powered by Wolken Software