Consider it suspicious if greater than N requests are issued by a given client that result in error statuses within a given time period. Recent attack pattern example: a CMS site with fast "static asset delivery" for real on-disk resources, but slow, database-impacting fallback lookup for resources that do not exist on-disk.
In this scenario, simple mitigation would be to blacklist the paths being requested. However, if the attack pattern (i.e. requested paths) change—trivial as an attacker—the mitigation falls apart.
Consider it suspicious if greater than N requests are issued by a given client that result in error statuses within a given time period. Recent attack pattern example: a CMS site with fast "static asset delivery" for real on-disk resources, but slow, database-impacting fallback lookup for resources that do not exist on-disk.
In this scenario, simple mitigation would be to blacklist the paths being requested. However, if the attack pattern (i.e. requested paths) change—trivial as an attacker—the mitigation falls apart.