You can use the Access Control List (ACL) functionality to block known “bad” IP addresses.
To block any malicious network traffic, such as, HTTP DDoS, you can use any of the following NetScaler features:
To configure ACL on the NetScaler appliance, see Citrix Documentation – Access Control Lists.
Run the following command to view details of the simple ACL:
nsroot@ns> show simpleacl
1) Name: block_bad_ip Action: DENY Hits: 6 srcIP = 10.28.224.227 Protocol: TCP DestPort = 80 TTL: 3541(seconds)Done
Simple ACLs are only stored in the memory for a selected amount of time, such as, 3600 seconds from the time there is a hit on the appliance. Therefore, you can never see them in the running configuration, but the appliance looks out for these IP addresses hitting the appliance. The configuration is simple and the information about them is not stored in the running configuration. Therefore, using Simple ACL is more memory efficient.
Run the following command to view the details of the extended ACL:
nsroot@ns> show acl
1) Name: ext_block_bad_ip Action: ALLOW Hits: 0 srcIP = 188.8.131.52-184.108.40.206 destIP srcMac: Protocol: TCP srcPort destPort Vlan: Interface: Active Status: ENABLED Applied Status: APPLIED Priority: 10 NAT: NO TTL: Log Status: DISABLEDDone
The extended ACL is present in the current configuration. Extended configuration can take IP address ranges as a parameter.
Run the following command to view the ACL in the current configuration:
nsroot@ns> show run | grep acl
add ns acl ext_block_bad_ip ALLOW -srcIP = 220.127.116.11-18.104.22.168 -protocol TCP -priority 10 -kernelstate SFAPPLIED61
To configure HTTP Denial of Service (DoS) Protection feature on NetScaler appliance, see Citrix Documentation – HTTP Denial-of-Service Protection.
The client detect rate setting is very subjective to the customer environment and you must have a balance between valid and invalid requests.
To configure Rate Limiting feature on NetScaler appliance, see Citrix Documentation – Rate Limiting.
Rate Limiting is a good option because it provides the client IP address based control. But, you have to be careful, because on the internet many valid requests can originate from the same client IP address that has undergone Network Address Translation (NAT).
The following sample configuration is based on the client IP address.
Commands to configure Rate Limiting feature:
add ns limitSelector limit_selector_client_ip client.ip.SRC
add ns limitIdentifier limit_identifier_client_ip -threshold 1000 -timeSlice 60000 -mode REQUEST_RATE -limitType SMOOTH
Note: One minute time slice with a threshold of 1000, based on the client IP address.
Commands to add Responder Policy by using a Named Expression:
add policy expression expr_pol_CompanyA_SubDomain “HTTP.REQ.METHOD.EQ(POST) &&
http.REQ.HOSTNAME.EQ(“SubDomain.CompanyA.com”) && http.REQ.url.contains(“/CompanyA/SubDomain/testurl”)”
add responder policy pol_resp_CompanyA_SubDomain_client “expr_pol_CompanyA_SubDomain &&
sys.CHECK_LIMIT(“limit_identifier_client_ip”)” DROP NOOP
Slow POST Protection
When you receive slow POST attack as described in Layer 7 DDoS, this issue can be resolved by installing NetScaler software release 9.2 52.8 nCore or later or 9.3 48.6 nCore or later.
The following two temporary workarounds can resolve this issue:
Run the following commands to protect the back end servers. Connections are accumulated in the NetScaler appliance until the complete HTTP POST data is received:
add rewrite action reqrepall replace_all “http.req.body(999999)” http.req.method -search text(“a_ string_that_does_not _occur”) -bypassSafetyCheck YES
add rewrite policy reqrepall http.req.method.eq(POST) reqrepall
In this method, rate limiting is used to control the flow of connections to the appliance.
Run the following commands to configure the Responder Policy:
add responder policy slowpostpol ” SYS.CHECK_LIMIT(“slowpostid1″)” RESET
bind responder global slowpostpol 1 END -type REQ_DEFAULT
set responder param -undefAction NOOP
Run the following command to configure Rate Limiting:
add ns limitSelector slowpostsel CLIENT.IP.SRC
add ns limitIdentifier slowpostid1 -threshold 6 -timeSlice 10 -mode REQUEST_RATE -limitType SMOOTH -selectorName slowpostsel
The following command has sample values that can be used when you add a Responder Policy:
add responder policy DOS “HTTP.REQ.METHOD.EQ(POST) && HTTP.REQ.BODY(999999).LENGTH.GT(0) ” NOOP
Usually the source of DDoS attacks does not use valid HTTP requests.
If any of the following conditions are satisfied for the HTTP header of the request, then the HTTP request is invalid:
Run the following command to configure the NetScaler appliance to drop invalid HTTP requests:
set ns httpParam -dropInvalReqs ON
Run the following command to block HTTP 0.9:
set ns httpParam -markHttp09Inval ON
Run the following command to mark CONNECT requests as invalid:
set ns httpParam -markconnReqInval ON
Or, you can run the following command to drop invalid HTTP requests, block HTTP head with version 0.9, and mark CONNECT requests as invalid:
set ns httpParam -markHttp09Inval ON -markconnReqInval ON -dropInvalReqs ON
Run the following command to collect statistics on the amount of requests that are dropped:
root@ns# nsconmsg -g http_err_noreuse_ -d stats
Displaying current counter value informationNetScaler V20 Performance DataNetScaler NS9.3: Build 49.5.cl, Date: Jun 16 2011, 12:13:23reltime:mili second between two records Tue Jul 12 14:14:57 2011Index reltime counter-value symbol-name&device-no 0 0 0 http_err_noreuse_IncompleteHeader 1 0 0 http_err_noreuse_multipart 2 0 0 http_err_noreuse_link_server 3 0 0 http_err_noreuse_large_data 4 0 0 http_err_noreuse_IncompleteChunk 5 0 7 http_err_noreuse_InvalidHeader 6 0 0 http_err_noreuse_ResponseBeforeData 7 0 0 http_err_noreuse_non_trackable_res 8 0 0 http_err_noreuse_http_0_9 9 0 0 http_err_noreuse_morethanCtLen
Application Firewall can be enabled on a NetScaler appliance with the purchase of a Platinum license. Application Firewall protects the firewall from a web application perspective. NetScaler software release 9.3 introduces a negative model with signatures from Sourcefire (Snort) and increased protection against known attacks.
The Application Firewall can be bound to a single virtual server or at a global level on the appliance. Refer to the following blogs for more details:
A NetScaler appliance automatically provides protection against SYN DoS attacks. For information about SYN cookies on NetScaler software release 9.3, see Citrix Documentation – Layer 3-4 SYN Denial-of-Service Protection.
Application level Quality of Experience (AppQoE) integrates several existing policy-based security features of the NetScaler appliance into a single integrated feature that takes advantage of a new queuing mechanism, fair queuing. The features that are integrated into AppQoE are HTTP Denial-of-Service Protection (HDOSP), Priority Queuing (PQ), and SureConnect
For more information refer to Citrix Documentation – AppQoE, Enabling AppQoE and AppQOE Actions.