Back in the day when I first began setting up labs on the internet, in the DMZ, outside of the firewall, I was warned. I threw caution to the wind and continued forward with my work. About a year later my methods had changed due to all of my experiences and all that I had witnessed. Some of the threats have changed, but many are the same. We live safely behind our firewalls, until an accident happens. I got to witness many dangerous attempts to bring down my company’s infrastructure, among other things. I think the most interesting event happened when we were able to trace an attack against a University in the USA originating from somewhere deep in China. We live in a dangerous world.
I remember reading about Denial of Service attacks, and later the Ditributed Denial of Service attacks, early in my career and thought they were the toys of script kiddies (kids who write scripts for fun and jokes). If you believe this, put some hosts out in your DMZ or outside the firewall with some open ports and time how long it takes to get slammed. I kid you not, there are people/organizations out there, port scanning 24/7/365 looking for vulnerable sites to destroy, using the simplest of methods. Protection against DOS and DDOS is fundamental and can be implemented with the Citrix NetScaler.
The technology for DOS and DDOS prevention has existed for some time now, but the attacks have become more sophisticated, which is why you really need the Next Generation Firewall offered by the NetScaler. The Citrix Next Gen Firewall not only protect you at Layer 3/4, but also at Layer 7 – the Application Layer.
How Layer 7 Denial of Service Protection Works
Internet hackers can bring down a site by sending a surge of GET requests or other HTTP-level requests. Layer 7 Denial of Service Protection provides an effective way to prevent such attacks from being relayed to the server. This feature also ensures that a Citrix NetScaler System located between the internet and the servers is not brought down by the attack while protecting the servers.
Most attackers on the Internet use applications that discard responses to reduce computation costs, and minimize their size to avoid detection. The attackers focus on speed, devising ways to send attack packets, establish connections or send HTTP requests as rapidly as possible.
A typical approach to prevent these attacks is effective in most cases. However, for more complicated attack methodologies including the use of real HTTP clients as attacking tool, the simpler prevention approaches can fail to protect the servers.
Real HTTP clients such as Internet Explorer, Firefox, or NetScape browsers can understand HTML Refresh meta tags, Java scripts, and cookies. In standard HTTP the clients have most of these features enabled. However, the dummy clients used in DoS attacks cannot parse the response from the server. If the malicious clients attempt to parse and send requests intelligently, it becomes difficult for them to launch the attack aggressively.
- If the POST request is made when the system is under attack, and the preceding GET request is made when the system is not under attack.
- When the think time of the client exceeds four minutes.
Priority Queuing/Surge Protection
Under an attack, requests without proper cookies are queued by the system, this protects the servers from false clients.
Get the most powerful DOS protection here.