What is AAD

The AAD (Automatic Attack Detection) deals controlling the number of concurrent open TCP connections that come from the same IP. Depending on situation, it may be perfectly normal to get 50 concurrent connections coming from the same client. In some other situations, seeing more than 5 concurrent connections might be unusual. It may require some other means of network analysis (outside of the WebMux) to help you determine what the normal activity it for your environment. Or you can refer to you server’s actual resource limits and set AAD TCP connection threshold to a value under the servers real limits for concurrent connections as a safeguard against server overload. AAD helps safeguard for situations where an attacker from a single IP can open so many TCP connections and leave them open that the farm can no longer accept any new connections.