Product Documentation

Rate Limiting at the Packet Level

Feb 25, 2017

Note: This feature was introduced in NetScaler release 11.1 build 51.21. 

You can configure a stream selector and a responder policy to collect statistics at the packet level and identify defective or attack-prone packets flowing through all the connections identified by the selector.  If, at any point, the percentage of defective or attack-prone packets exceeds the configured threshold, the policy applies a corrective action (RESET or DROP). You can use this functionality to address DDoS attacks involving small TCP packets in which the PUSH flag is enabled.

The following example demonstrates this functionality. This configuration tracks packet credits for all the TCP connections flowing through the system. This creates a session and associates on pcb or natpcb and checks each packet.    

Example Copy

add stream selector packetcreditrateselector client.ip.src client.tcp.srcport client.ip.dst client.tcp.dstport

add stream identifier packetcreditrateidentifier packetcreditrateselector –interval 1

add responder policy packetcreditratesessionpolicy "ANALYTICS.STREAM(\"packetcreditrateidentifier\").COLLECT_STATS(\"PACKET_CREDITS\", <max_threshold_percentage>, <action>)" NOOP

Where <max_threshold_percentage> is any value from 0 to 100 and <action> can be either DROP or RESET.

After the selector and the responder policy are configured, the policy is bound globally.

Code Copy

bind responder global packetcreditratesessionpolicy 101 END -type REQ_DEFAULT

bind responder global packetcreditratesessionpolicy 102 END -type NAT_REQ_DEFAULT