NetScaler protects against Layer 4 SYN Flood attacks, by utilizing a SYN Cookie, NetScaler ensures that memory is first allocated to a TCP Session when TCP 3-way handshake is completed.
Furthermore, Application Firewall and Rate Limiting could be implemented to mitigate both L4 and L7 attack.
This article will focus on Rate Limiting as a step to prevent Layer 4-7 DDoS and Brute Force attacks.
Following NS CLI commands implements Rate Limiting by using NetScaler Responder feature.
By implementing Rate Limiting, there is a risc of blocking legitimate traffic. Therefore test carefully.
Start with creating an audit action which we can use to report any hits when Rate Limiting is triggered:
1 |
add audit messageaction audit-act-rate-limit-drop-log ALERT "\"Rate Limit has blocked access from Client IP : \" + CLIENT.IP.SRC + \"While requeting URL : \" + HTTP.REQ.URL" -bypassSafetyCheck YES |
Create Responder HTML Error page:
1 |
add responder action resp-act-rate-limit-page respondwithhtmlpage ratelimit-violation -responseStatusCode 200 |
Create Rate Limit Selector and Identifier:
Example here defines maximum allowed requests to 5 within timeslice of 10 seconds, before the Responder is hit and connection is dropped or redirected to error page.
1 2 |
add stream selector rate-selector-nsg "HTTP.REQ.URL.ENDSWITH(\"tmindex.html\")" add ns limitIdentifier rate_limit_ident_vpn -threshold 5 -timeSlice 10000 -selectorName rate-selector-nsg |
Create Responder policy and bind to required vServer, in this example NetScaler Gateway:
1 |
add responder policy resp-pol-rate-limit-nsg "HTTP.REQ.URL.PATH.ENDSWITH(\"tmindex.html\") && SYS.CHECK_LIMIT(\"rate_limit_ident_vpn\")" resp-act-rate-limit-page -logAction audit-act-rate-limit-drop-log |
Responder HTML Error page “ratelimit-violation” example: