So this is something that I was tasked with a couple of weeks ago, where a customer was having issues with their network bandwidth to their website was exhausted because of a sophisticated DoS attach which seemed like a regular HTTP request, but it made the webserver exhaust its resources and comsume bandwidth upstream so it limited authentic users to access the website, now this was a web-server issue but while the application vendor was fixing the issue I needed to fix the issue.
Now they were using Citrix NetScaler as a load balancer, but I’ve never been able to use it for this particular purpose, so I was first thinking about HTTP DoS but that didn’t help to mitigate the task. So what I ended up with was feature I’ve only worked with once or twice which is Action Analysis.
So what we wanted to do was to limit a end-user’s bandwidth for one hour so it wouldn’t cross the limit we have set, this way we wouldn’t stop the authentic users while stopping the attackers.
Now in order to use this properly we need to configure a Stream selector which defines the endpoint we want to monitor,
We also need a Stream identifier (where we bind the selector) and if we want monitor bandwidth, connections and so on.
Lastly we create one responder policy first, where we have one policy which is used to collect statstics for the Stream identitier. Here we need to specify Action NOOP since we just want it to collect stats and not do anything. The Expression is defined to ANALYTICS.STREAM(“CLIENT_BW”)COLLECT_STATS
Now lastly we need to bind this policy to virtual server where we want to collect information. We also have the option to see the statistics that are gathered. Note however that since we specified 1 hour in the Stream Identifier this will refresh every 1 hour. We can see statistics by going into AppExpert –> Action Analytics –> Stream identifiers –> Stream sessions.
And from here we can see the statistics. Which is collected for that vServer session.
Now we can also specify a second responder policy which triggers when a user has exeeded the bandwidth limit we specify, in this case we want to limit it too 100MB only, so we then bind the same policy to the same vServer where we bound the first policy.
Easy, peasy 🙂