Note: This feature was introduced in NetScaler release 11.1 build 51.21.
You can configure a stream selector and a responder policy to collect statistics at the packet level and identify defective or attack-prone packets flowing through all the connections identified by the selector. If, at any point, the percentage of defective or attack-prone packets exceeds the configured threshold, the policy applies a corrective action (RESET or DROP). You can use this functionality to address DDoS attacks involving small TCP packets in which the PUSH flag is enabled.
The following example demonstrates this functionality. This configuration tracks packet credits for all the TCP connections flowing through the system. This creates a session and associates on pcb or natpcb and checks each packet.
add stream selector packetcreditrateselector client.ip.src client.tcp.srcport client.ip.dst client.tcp.dstport
add stream identifier packetcreditrateidentifier packetcreditrateselector –interval 1
add responder policy packetcreditratesessionpolicy "ANALYTICS.STREAM(\"packetcreditrateidentifier\").COLLECT_STATS(\"PACKET_CREDITS\", <max_threshold_percentage>, <action>)" NOOP
Where <max_threshold_percentage> is any value from 0 to 100 and <action> can be either DROP or RESET.
After the selector and the responder policy are configured, the policy is bound globally.
bind responder global packetcreditratesessionpolicy 101 END -type REQ_DEFAULT
bind responder global packetcreditratesessionpolicy 102 END -type NAT_REQ_DEFAULT