Configure rate limit at packet level

Note: This feature was introduced in NetScaler release 11.1 build 51.21.

You can collect statistics at the packet level to determine bad/attack prone packets flowing through all the connections identified by the selector. At any point, if the percentage of bad or attack-prone packets exceed the configured threshold, a corrective action (RESET or DROP) is triggered as per the configuration. This functionality can be used to address DDoS attacks involving small TCP packets in which PUSH flag is enabled.

The following configuration demonstrates this functionality. This configuration tracks packet credits for all the TCP connections flowing through the system. This creates a session and associates on pcb/natpcb and the performs the per packet check.


add stream selector packetcreditrateselector client.ip.src client.tcp.srcport client.ip.dst client.tcp.dstport

add stream identifier packetcreditrateidentifier packetcreditrateselector –interval 1

add responder policy packetcreditratesessionpolicy "ANALYTICS.STREAM(\"packetcreditrateidentifier\").COLLECT_STATS(\"PACKET_CREDITS\", <max_threshold_percentage>, ACTION)" NOOP

<max_threshold_percentage> is any value between 0-100.

ACTION can be either DROP/RESET

After the configuration is complete, we must bind this responder policy globally.


bind responder global packetcreditratesessionpolicy 101 END -type REQ_DEFAULT

bind responder global packetcreditratesessionpolicy 102 END -type NAT_REQ_DEFAULT
Configure rate limit at packet level

In this article