- Enable HTTP DoS
- Add an HTTP DoS policy
- Add a service
- Bind the monitor
- Bind the service to the policy
Note: For information about using the CLI to configure this feature, see the Command Reference Guide.
To enable HTTP DoS in the GUI Configuration Utility:
- In the left pane, expand System, and click Settings. The System Settings Overview page appears in the right pane.
- Click advanced features. The Configure Advanced Features dialog box appears.
- Select HTTP DoS Protection check box, click OK, and click Yes on the Enable/Disable Feature(s) dialog box.
- The status bar displays a message indicating that the selected feature is enabled.
To add an HTTP DoS policy
- In the left pane, expand Protection Features, and click HTTP DoS. The HTTP DoS page appears in the right pane.
- Click Add. The Create HTTP DoS Policy dialog box appears.
- Type a name for the policy in the Name text box, for example, dospol_1.
- Type a numeric value in the QDepth text box that denotes the queue size, for example, 200.
- Type a numeric value in the Client Detect Rate text box, for example, 1, and click OK.
Note: The client detect rate value denotes the percentage of traffic to which the HTTP DoS policy is applied.
The policy that you created appears in the right pane and the status bar displays a message indicating that the DoS policy is successfully configured.
To add a service
- In the left pane, expand Load Balancing, and click Services. The Services page appears in the right pane.
- Click Add. The Create Service dialog box appears.
- In the Service Name text box type a name, for example, HTTP_DoS_service1.
- In the Server text box type the IP address of the server that the service represents, for example, 10.102.29.1.
- In the Protocol drop-down list box, select the protocol type, for example, HTTP.
- Type the port number in the Port text box, for example, 80. Ensure that Enable Service check box is selected.
- Select the Advanced tab, and select the Override Global check box.
- Type numeric values in the Max Clients text box and Client text box respectively, for example, 200 and 60.
- Click Create and click Close. The service you create appears in the list of services.
To bind a monitor and a policy to the service
- In the left pane, expand Load Balancing, and click Services. The Services page displays the list of services in the right pane.
- Select the service that you want to bind and click Open. The Configure Service dialog box appears.
- Select the Monitor tab, click tcp in the Monitors list, and click Add. The selected monitor tcp is added to the Configured frame.
- Select the Policies tab, click a policy from the Available Policies list, for example, dospol_1 that you created in the previous section, and click Add.
- The policy appears in the Configured Policies list.
- Click OK and click Close. A message in the status bar indicates that the service is configured.
If the configured triggering surge queue depth is, for example, 200, and the surge queue size is toggling between 199 and 200, the system toggles between the “attack” and “no-attack” scenario, which is not desirable.
To prevent the “attack” and “no attack” scenario from occurring, a window mechanism is provided. When the surge queue size reaches 200, and the “attack” scenario is detected, the surge queue size must fall for the system to enter
“noattack” mode. If the value of WINDOW_SIZE is set to 20, the surge queue size must fall under 180 before the system enters “no-attack” mode. During configuration, you must specify a value more than the WINDOW_SIZE for the QDepth parameter when adding a DoS policy or setting a DoS policy.
The triggering surge queue depth should be configured based on prior knowledge of the traffic characteristics.
Guidelines for HTTP DoS Protection Deployment
Citrix recommends you deploy the HTTP DoS protection feature in a tested and planned manner, and closely monitor after the initial deployment. Use the following information to fine-tune the deployment of HTTP DoS Protection:
- The maximum number of concurrent connections supported by your
- The average and normal values of the concurrent connections supported by
- The maximum output rate (responses/sec) that your server can generate.
- The average traffic that your server handles.
- The typical bandwidth of your network.
- The maximum bandwidth available upstream.
- The limits faced by the bandwidth, for example, external link, router and so on. The critical devices on the path that may suffer from a traffic surge.
- Whether allowing a greater number of clients to connect is more important than protecting upstream network devices.
- What is the rate of incoming fake requests that you have experienced in the past?
- What types of requests have you received (complete posts, incomplete gets)?
- Did previous attacks saturate your downstream links? If not, what was the bandwidth?
- What types of source IP addresses and source ports did the HTTP requests have (e.g., IP addresses from one subnet, constant IP, ports increasing by one).
- What types of attacks do you expect in future? What type have you seen in the past?
- Any or all information that can help you tune DoS attack protection.
Get the most powerful DDOS Protection here.