HTTP/2 DoS mitigation

The Http/2 Denial-of-Service (DoS) attacks no longer have any impact on a Citrix ADC appliance. If the appliance receives frames more than the maximum limit, the appliance silently closes the connection.

To mitigate attacks, HTTP profile enables you to change the default configuration of frames received in a HTTP/2 connection.

The HTTP/2 DoS mitigation table shows the list of HTTP/2 DoS attacks and its mitigation.

Configure the maximum limit for HTTP/2 frames to mitigate DoS attacks by using the command line interface

At the command prompt, type the following:

set ns httpprofile <profile_name> - http2MaxEmptyFramesPerMin <positive_integer> -http2MaxPingFramesPerMin <positive_integer> -http2MaxSettingsFramesPerMin <positive_integer> -http2MaxResetFramesPerMin <positive_integer>

Example:

set ns httpprofile profile1 -http2MaxEmptyFramesPerMin 20 -http2MaxPingFramesPerMin 20 -http2MaxSettingsFramesPerMin 20 -http2MaxResetFramesPerMin 20

Configure the maximum limit for frames received in a HTTP/2 connection by using the Citrix ADC GUI

Follow the steps given below to configure the maximum limit for frames received in a HTTP/2 connection:

  1. On the navigation pane, expand System and then click Profiles.
  2. On the Profile page, select the HTTP Profiles tab.
  3. In the HTTP Profiles tab page, click Add.
  4. In the Configure HTTP Profile page, set the following parameter.

    1. http2MaxPingFramesPerMin. Set the maximum PING frames received per connection in a minute. If the number of PING frames exceed configuration limit, the appliance silently drops packets on the connection.

    2. http2MaxSettingsFramesPerMin. Set the maximum SETTINGS frames received per connection in a minute. If the number of SETTINGS frames exceed configuration limit, ADC silently drops packets on the connection.

    3. http2MaxResetFramesPerMin. Set the maximum RESET frames sent per connection in a minute. If the number of RESET frames exceed configuration limit, ADC silently drops packets on the connection.

    4. http2MaxEmptyFramesPerMin. Set the maximum empty frames sent per connection in a minute. If the number of empty frames exceed configuration limit, ADC silently drops packets on the connection.

  5. Click OK and Close.

    HTTP/2 DoS mitigation GUI configuration