Implement Rate Limiting on NetScalers (Citrix ADCs)


Ever wondered about securing your Citrix ADC (formerly NetScaler) or Gateway implementation further with all the DDoS news going around of late. If you already have a NetScaler/ADC implementation, you can easily leverage it and configure Rate Limiting feature which is a fantastic weapon to stop such threats and keep the malicious actors at bay. This could be even be implemented on NetScaler/ADC Standard edition so there is no excuse. If you are interested in improving the security posture of your Citrix ADCs/Gateways/SD-WANs/SDXs or CPXs, then read on.

Common use-cases for Rate limiting

  • Limit the number of requests per second from a URL.
  • Drop a connection based on cookies received in request from from a particular host if the request exceeds the rate limit.
  • Limit the number of HTTP requests that arrive from the same host (with a particular subnet mask) and that have the same destination IP address.

Create Rate Limiting Policies

We are going to utilize the Responder feature to complete the configuration. So when you are ready to get started, logon to the NetScaler console with root privileges (nsroot preferably) and follow the below steps

You will need to then navigate to AppExpert node in the management portal. This is where you will find the Rate Limiting policies.

This image has an empty alt attribute; its file name is image-3.png
  • Expand AppExpert and select Rate Limiting
  • Expand Rate Limiting and click on Selectors
  • Click Add and enter a name for the Selector
  • Select the expressions as follows ( Note that there is a DOT after REQ for Expression 2)
    • Check HTTP.REQ.URL
    • Check CLIENT.IP.SRC
  • Click Insert

CLI

add stream selector rate_sel_URL_IP HTTP.REQ.URL CLIENT.IP.SRC
  • Now select Limit Identifiers node and click Add
  • Give it a Name
  • From the Selector field drop down, choose the Rate Selector that you just created in the previous step
  • Mode = REQUEST_RATE
  • Limit Type = BURSTY
  • Threshold = 700 requests

Please choose THRESHOLD value very carefully and size it according to your environment. You don’t want to be too conservative and kill your NetScalers or use a very low value to block your legitimate user connections) Test, Retest and Test again before you apply this in Prod

  • Time Slice = 100000 msec (Note that the time slice is in msec so mine is 100 sec once you do the math)
  • Ignore the Max bandwidth and Traps fields as we aren’t going to manipulate them for this exercise.

CLI

add ns limitIdentifier limit_id_URL_IP -threshold 700 -timeSlice 100000 -selectorName rate_sel_URL_IP

Create and Bind Responder Policies

  • Go to the Responder node under AppExpert
  • Select Policies and Click Add (Note that there is no need to create a responder action for this)
  • Give your policy a Name
  • Action = DROP
  • If you would like NetScaler to log an event when the policy is triggered, you may do so under Log Action
  • Expression = CLIENT.IP.DST.EQ(X.X.X.X)& SYS.CHECK_LIMIT(“limit_id_URL_IP”)

X.X.X.X is the IP address of the vServer on NetScaler (in my case, it is the Gateway) and limit_id_URL_IP is the limit identifier created in the previous step.

CLIENT.IP.DST.EQ(X.X.X.X)&& SYS.CHECK_LIMIT("limit_id_URL_IP")

CLI

add responder policy res_pol_drop_DOS_MobilePortal1 "CLIENT.IP.DST.EQ (x.x.x.x) && SYS.CHECK_LIMIT(\"rate_id_URL_IP \")" DROP

We are almost done. Final step is to bind the responder policy to the vServer.

  • Find your vServer and go into Edit mode
  • Under Policies, click on the + sign
  • Choose Policy as Responder and type as Request
  • Click Continue
  • Click Add Binding
  • Select the Policy that you want to bind
  • Click Select
  • Click OK to save the config

CLI

bind vpn vserver MOBILEPORTAL1_VS_mobileportal1 -policy res_pol_drop_DOS_MobilePortal1 -priority 100 -gotoPriorityExpression END -type REQUEST

Now, how do you test this? It isn’t easy with the existing threshold values. So to make the testing easier, I would adjust the threshold numbers to something that we could easily achieve. For eg, if we reduce the threshold value to 10 and time slice to 10000 msec, that literally means we only need to perform 10 requests in a matter of 10 secs. You can also bump up the timer to 20 sec(20000 msec) if you think 10 secs are still harder. For that you will need to go to the limit identifier that you set up earlier and adjust the value as below.

Now, open a browser page and navigate to the URL in question. Refresh the page a few times and after 10th successful attempt, 11th attempt will be dropped/reset by the NetScaler. End user may see something like the below

Of course, there are other selectors that you can target instead of the Client IP and HTTP URL that I have used for my example. Below are some useful links to get started if you want more literature to read on.

https://www.citrix.com/blogs/2020/09/29/protect-your-apps-with-rate-limiting-in-citrix-adc/

https://docs.citrix.com/en-us/citrix-adc/current-release/aaa-tm/citrix-adc-aaa-session-and-traffic-management/rate-limiting-with-gateway.html

That’s all to it folks. Have fun with it and if you have any comments/questions, feel free to add it in the comments section below

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.