Authentication, authorization, and auditing application traffic

Rate Limiting for Citrix Gateway

The rate limiting feature for Citrix Gateway enables you to define the maximum load for a given network entity or virtual entity on the Citrix Gateway appliance. Since the Citrix Gateway appliance consumes all the unauthenticated traffic, the appliance is often exposed to process requests at a high rate. The rate limiting feature enables you to configure the Citrix Gateway appliance to monitor the rate of traffic associated with an entity and take preventive action, in real time, based on the traffic. For more information about how rate limiting works in a Citrix ADC appliance, see Rate limiting.

Citrix ADC has the rate limiting feature that provides protection to back-end servers for unforeseen rate. Since the feature for Citrix ADC did not serve the unauthenticated traffic that Citrix Gateway handles, Citrix Gateway needed its own rate limiting functionality. This is needed to check an unforeseen rate of requests from various sources the Citrix Gateway appliance is exposed to. For example, unauthenticated/login/control requests and certain APIs exposed for end user or device validations.

Common use-cases for Rate limiting

  • Limit the number of requests per second from a URL.

  • Drop a connection based on cookies received in request from from a particular host if the request exceeds the rate limit.

  • Limit the number of HTTP requests that arrive from the same host (with a particular subnet mask) and that have the same destination IP address.

Configure Rate Limiting for Citrix Gateway

Prerequisites

A configured authentication virtual server.

Points to note

  • In the configuration steps, a sample limit identifier is configured. The same can be configured with all the supported parameters like stream selector, mode. For an exhaustive description of the rate limiting capabilities, see Rate limiting.

  • The policy can also be bound to a VPN virtual server as follows. You need a configured VPN virtual server to bind the policies using the following command.

     bind vpn vserver  -policy denylogin –pri 1 –type aaa_request
    
  • AAA_REQUEST is a newly introduced bindpoint for responder policies. The policies configured at this bind point are applied to all the incoming request at the specified virtual server. The policies are processed for the unauthenticated/control traffic first before any other processing.

  • Binding the policy to the Citrix Gateway virtual server enables rate limiting at the AAA_REQUEST bindpoint for all the traffic consumed by Citrix Gateway including unauthenticated requests.

  • Binding the policy to an authentication virtual server rate limits the unauthenticated/control requests hitting the authentication virtual server.

To configure rate limiting by using the command line interface, at the command prompt, type the following commands:

add limitIdentifier <limitIdentifier name> -threshold <positive_integer> -timeslice <positive_integer> -mode <mode type>
Example: add limitIdentifier limit_one_login -threshold 10 -timeslice 4294967290 -mode REQUEST_RATE
add responderaction denylogin respondwith ‘“HTTP/1.1 200 OK\r\n\r\n” + “Request is denied due to unusual rate”’
add responder policy denylogin 'sys.check_limit("limit_one_login")' denylogin
bind authentication vserver <vserver name> -policy denylogin –pri 1 –type aaa_request
Example: bind authentication vserver authvserver -policy denylogin –pri 1 –type aaa_request

Parameter description

  • limitIdentifier - Name for a rate limit identifier. Must begin with an ASCII letter or underscore (_) character, and must consist only of ASCII alphanumeric or underscore characters. Reserved words must not be used. This is a mandatory argument. Maximum Length: 31

  • threshold - A maximum number of requests that are allowed in the given timeslice when requests (mode is set as REQUEST_RATE) are tracked per timeslice. When connections (mode is set as CONNECTION) are tracked, it is the total number of connections that would be let through. Default value: 1 Minimum value: 1 Maximum Value: 4294967295

  • timeSlice - Time interval, in milliseconds, specified in multiples of 10, during which requests are tracked to check if they cross the threshold. The argument is needed only when the mode is set to REQUEST_RATE. Default value: 1000 Minimum value: 10 Maximum Value: 4294967295

  • mode - Defines the type of traffic to be tracked.

    • REQUEST_RATE - Tracks requests/timeslice.
    • CONNECTION - Tracks active transactions.

To configure Rate Limiting using the Citrix ADC GUI:

  1. Navigate to AppExpert > Rate Limiting > Limit Identifiers, click Add and specify the relevant details as specified in the CLI section.

    Create limit identifier.

  2. Navigate to AppExpert>Responder>Policies. On the Responder Policies page, click Add.

  3. On the Create Responder Policy page, create a responder policy with a responder action which has the limit identifier.

  4. To create responder action, Click Add next to Action and enter a name for responder action.

  5. Select type as Respond with from the drop-down menu, specify the following expression, “HTTP/1.1 200 OK\r\n\r\n”+ “Request is denied due to unusual rate”, and click Create.

    Create responder action

  6. To create a responder policy, on Create Responder Policy page, enter a name for the responder policy, specify the following expression, ‘sys.check_limit(“limit_one_login”)’, and click Create.

    Create responder policy

  7. Bind the responder policy to the authentication virtual server.

    • a. Go to Security>AAA-Application Traffic>Virtual server.
    • b. Select the virtual server.
    • c. Add a policy.
    • d. Choose the responder policy that you want to bind to the server, set the priority.
    • e. Choose the type as AAA-REQUEST and click Continue.

    Bind the policy

Note: You can also enable rate limiting at the AAA_REQUEST bind point for the VPN virtual server.

Configuration for the common use cases for applying rate limiting to Citrix Gateway

The following are the examples of commands to configure common use cases.

  • Limit the number of requests per second from a URL.

     add stream selector ipStreamSelector http.req.url “client.ip.src”
    
     add ns limitIdentifier ipLimitIdentifier –threshold 4 –timeslice 1000 –mode request_rate –limitType smooth –selectorName ip StreamSelector
    
     add responder policy ipLimitResponderPolicy “http.req.url.contains(\”myasp.asp\”) && sys.check_limit(\”ipLimitIdentifier\”)” myWebSiteRedirectAction
    
     bind authentication virtual server authvserver -policy denylogin –pri 1 –type aaa_request
    
  • Drop a connection based on cookies received in request from www.yourcompany.com if the request exceeds the rate limit.

     add stream selector cacheStreamSelector “http.req.cookie.value(\”mycookie\”)” “client.ip.src.subnet(24)”
    
     add ns limitIdentifier myLimitIdentifier –Threshold 2 –timeSlice 3000 –selectorName reqCookieStreamSelector
    
     add responder action sendRedirectURL redirect `"http://www.mycompany.com\"` + http.req.url' –bypassSafetyCheck Yes
    
     add responder policy rateLimitCookiePolicy
    
     “http.req.url.contains(\www.yourcompany.com\) && sys.check_limit(\”myLimitIdentifier\”)” sendRedirectUrl
    
    
  • Limit the number of HTTP requests that arrive from the same host (with a subnet mask of 32) and that have the same destination IP address.

     add stream selector ipv6_sel “CLIENT.IPv6.src.subnet(32)”CLIENT.IPv6.dst Q.URL
    
     add ns limitIdentifier ipv6_id –imeSlice 20000 –selectorName ipv6_sel
    
     add lb vserver ipv6_vip HTTP 3ffe:: 209 80 –persistenceType NONE –cltTime
    
     add responder action redirect_page redirect “\”`http://redirectpage.com/\”"`
    
     add responder policy ipv6_resp_pol “SYS.CHECK_LIMIT(\”ipv6_id\”)” redirect_page
    
     bind responder global ipv6_resp_pol 5 END –type DEFAULT
    

Rate Limiting for Citrix Gateway