Frequency of failure heuristic. #11
Description
Consider it suspicious if greater than N requests are issued by a given client that result in error statuses within a given time period. Recent attack pattern example: a CMS site with fast "static asset delivery" for real on-disk resources, but slow, database-impacting fallback lookup for resources that do not exist on-disk.
In this scenario, simple mitigation would be to blacklist the paths being requested. However, if the attack pattern (i.e. requested paths) change—trivial as an attacker—the mitigation falls apart.