Below may shed some light the sums don't add up....
Configuring Lockout options
You can configure the following Lockout options to protect the IVE and other systems from Denial of Service (DoS), Distributed Denial of Service (DDoS), and password-guessing attacks from the same IP address:
Rate‰ÛÓSpecify the number of failed sign-in attempts to allow per minute.
Attempts‰ÛÓSpecify the maximum number of failed sign-in attempts to allow before triggering the initial lockout. The IVE determines the maximum initial period of time (in minutes) to allow the failed sign-in attempts to occur by dividing the specified number of attempts by the rate. For example, 180 attempts divided by a rate of 3 results in a initial period of 60 minutes. If 180 or more failed sign-in attempts occur within 60 minutes or less, the IVE locks out the IP address being used for the failed sign-in attempt.
Lockout period‰ÛÓSpecify the number of minutes you want the IVE to lock out the IP address.
NOTE: Lockout options are not available to IVS systems. All other security options are available to IVS systems.
The IVE reacts quickly to an attack that persists, and then gradually becomes less restrictive when the attack subsides. After a lockout occurs, the IVE gradually recovers by maintaining the Rate. If the current failure rate since the last lockout exceeds the specified Rate, the IVE locks out the IP address again. If the failure rate is less than the specified Rate for the period of Attempts/Rate, the IVE returns to the initial monitoring state.
For example, if you use the following settings for the Lockout options, the IVE locks out the IP address for the time periods in the following scenario.
Rate=3 failed sign-in attempts/minute
Attempts=180 maximum allowed in initial period of 60 minutes (180/3)
Lockout period=2 minutes
During a period of three minutes, 180 failed sign-in attempts occur from the same IP address. Because the specified value for Attempts occurs in less than the allowed initial period of 60 minutes (180/3), the IVE locks out the IP address for 2 minutes (4th and 5th minutes).
In the 6th minute, the IVE removes the lock on the IP address and begins maintaining the rate of 3 failed sign-in attempts/minute. In the 6th and 7th minutes, the number of failed sign-in attempts is 2 per minute, so the IVE does not lock the IP address. However, when the number of failed sign-in attempts increases to 5 in the 8th minute, which is a total of 9 failed sign-in attempts within 3 minutes, the IVE locks out the IP address for 2 minutes again (9th and 10th minutes).
In the 11th minute, the IVE removes the lock on the IP address and begins maintaining the rate of 3 failed sign-in attempts/minute again. When the rate remains below an average of 3/minute for 60 minutes, the IVE returns to its initial monitoring state.
