You can use the Access Control List (ACL) functionality to block known "bad" IP addresses.
To block any malicious network traffic, such as, HTTP DDoS, you can use any of the following NetScaler features:
- Access Control Lists
- HTTP DoS Protection
- Rate Limiting
- Dropping Invalid HTTP Requests
- Application Firewall
- SYN Cookies
- AppQoE
Access Control Lists
To configure ACL on the NetScaler appliance, see Citrix Documentation - Access Control Lists.
Run the following command to view details of the simple ACL:
nsroot@ns> show simpleacl
Simple ACLs are only stored in the memory for a selected amount of time, such as, 3600 seconds from the time there is a hit on the appliance. Therefore, you can never see them in the running configuration, but the appliance looks out for these IP addresses hitting the appliance. The configuration is simple and the information about them is not stored in the running configuration. Therefore, using Simple ACL is more memory efficient.
Run the following command to view the details of the extended ACL:
nsroot@ns> show acl
The extended ACL is present in the current configuration. Extended configuration can take IP address ranges as a parameter.
Run the following command to view the ACL in the current configuration:
nsroot@ns> show run | grep acl
HTTP DoS Protection
To configure HTTP Denial of Service (DoS) Protection feature on NetScaler appliance, see Citrix Documentation - HTTP Denial-of-Service Protection.
Depending on the HTTP DoS policy setting and queue depth, you can generate JavaScript based responses from the NetScaler appliance. However, the appliance cannot look at or select client IP address and implement the policy. The appliance enables the policy when the queue depth is low.
The client detect rate setting is very subjective to the customer environment and you must have a balance between valid and invalid requests.
Rate Limiting
To configure Rate Limiting feature on NetScaler appliance, see Citrix Documentation - Rate Limiting.
Rate Limiting is a good option because it provides the client IP address based control. But, you have to be careful, because on the internet many valid requests can originate from the same client IP address that has undergone Network Address Translation (NAT).
The following sample configuration is based on the client IP address.
Commands to configure Rate Limiting feature:
add ns limitSelector limit_selector_client_ip client.ip.SRC
add ns limitIdentifier limit_identifier_client_ip -threshold 1000 -timeSlice 60000 -mode REQUEST_RATE -limitType SMOOTH
-selectorName limit_selector_client_ip
Note: One minute time slice with a threshold of 1000, based on the client IP address.
Commands to add
Responder Policy by using a Named Expression:
add policy expression expr_pol_CompanyA_SubDomain "HTTP.REQ.METHOD.EQ(POST) &&
http.REQ.HOSTNAME.EQ(\"SubDomain.CompanyA.com\") && http.REQ.url.contains(\"/CompanyA/SubDomain/testurl\")"
add responder policy pol_resp_CompanyA_SubDomain_client "expr_pol_CompanyA_SubDomain &&
sys.CHECK_LIMIT(\"limit_identifier_client_ip\")" DROP NOOP
Slow POST Protection
When you receive slow POST attack as described in Layer 7 DDoS, this issue can be resolved by installing NetScaler software release 9.2 52.8 nCore or later or 9.3 48.6 nCore or later.
The following two temporary workarounds can resolve this issue:
Method 1
Run the following commands to protect the back end servers. Connections are accumulated in the NetScaler appliance until the complete HTTP POST data is received:
add rewrite
action reqrepall replace_all "http.req.body(999999)" http.req.method -search text(“a_ string_that_does_not _occur”) -bypassSafetyCheck YES
add rewrite policy reqrepall http.req.method.eq(POST) reqrepall
Method 2
In this method, rate limiting is used to control the flow of connections to the appliance.
Run the following commands to configure the Responder Policy:
add responder policy slowpostpol " SYS.CHECK_LIMIT(\"slowpostid1\")" RESET
bind responder
global slowpostpol 1 END -type REQ_DEFAULT
set responder param -undefAction NOOP
Run the following command to configure Rate Limiting:
add ns limitSelector slowpostsel CLIENT.IP.SRC
add ns limitIdentifier slowpostid1 -threshold 6 -timeSlice 10 -mode REQUEST_RATE -limitType SMOOTH -selectorName slowpostsel
The following command has sample values that can be used when you add a Responder Policy:
add responder policy DOS "HTTP.REQ.METHOD.EQ(POST) &&
HTTP.REQ.BODY(999999).LENGTH.GT(0) " NOOP
Dropping Invalid HTTP Requests
Usually the source of DDoS attacks does not use valid HTTP requests.
If any of the following conditions are satisfied for the HTTP header of the request, then the HTTP request is invalid:
HTTP major version number is not in the range of 0 through 9.
Invalid HTTP response status code begins with a character not in the range of 0 through 9.
A packet full of CR-LF/whitespace characters is received before the HTTP Request Line.
No URL after HTTP request method.
No HTTP/ after URL in HTTP Request Line.
Space in the URL/request.
When the number of hold NetScaler Buffers (NSBs) exceeds the configured limit.
Server sends more than Content-Length of data.
Invalid value of Content-Length header (non-numeric characters).
- HTTP CONNECT request method.
No HOST header in HTTP/1.1 Request Line.
Run the following command to configure the NetScaler appliance to drop invalid HTTP requests:
set ns httpParam -dropInvalReqs ON
Run the following command to block HTTP 0.9:
set ns httpParam
-markHttp09Inval ON
Run the following command to mark CONNECT requests as invalid:
set ns httpParam -markconnReqInval ON
Or, you can run the following command to drop invalid HTTP requests, block HTTP head with version 0.9, and mark CONNECT requests as invalid:
set ns httpParam -markHttp09Inval ON -markconnReqInval ON -dropInvalReqs ON
Run the following command to collect statistics on the amount of requests that are dropped:
root@ns# nsconmsg -g
http_err_noreuse_ -d stats
Application Firewall
Application Firewall can be enabled on a NetScaler appliance with the purchase of a Platinum license. Application Firewall protects the firewall from a web application perspective. NetScaler software release 9.3 introduces a negative model with signatures from Sourcefire (Snort) and increased protection against known attacks.
The Application Firewall can be bound to a single virtual server or at a global level on the appliance. Refer to the following blogs for more details:
How to perform a basic installation
How to make changes in the Wizard
SYN Cookies
A NetScaler appliance automatically provides protection against SYN DoS attacks. For information about SYN cookies on NetScaler software release 9.3, see Citrix Documentation - Layer 3-4 SYN Denial-of-Service Protection.
AppQoE
Application level Quality of Experience (AppQoE) integrates several existing policy-based security features of the NetScaler appliance into a single integrated feature that takes advantage of a new queuing mechanism, fair queuing. The features that are integrated into AppQoE are HTTP Denial-of-Service Protection (HDOSP), Priority Queuing (PQ), and SureConnect
For more information refer to Citrix Documentation - AppQoE, Enabling AppQoE and AppQOE Actions.