In some cases, it might not be that easy to detect an attack. For instance, in a HTTP DDoS attack, a web server might be attacked with legitimate traffic; therefore they are regular HTTP requests. This is where we can use HTTP DoS protection. HTTP DoS protection allow NetScaler to respond with a JavaScript challenge to all incoming HTTP requests. Since a HTTP DDoS attack is typically done using a cluster of many nodes running a scripted attack, these nodes do not support any form of JavaScript request; therefore, when they cannot respond to the JavaScript challenge, NetScaler closes the connection. Regular users surfing with a regular browser support JavaScript and are therefore granted access. This happens in the background and the user never sees that it happens. Enabling HTTP DoS puts a lot of strain on NetScaler, especially if there is a lot of traffic and the client detect rate is at 100 percent.

In order to enable HTTP DoS, go into Security | Protection Features | HTTP DoS and click Add.

Then give the policy a name and enter a queue depth that is a representation of the number of outstanding requests to the system, before the HTTP DoS feature is enabled. Then we should enter a client detect rate; this is a percent value between 0 and 100 to define what percentage of requests after the HTTP DoS feature is triggered should get the JavaScript challenge.

After we have created a HTTP DoS policy we have to bind it to our services. Go into Traffic Management | Services, then choose the services we want this enabled for, then go into Policies and click the + sign and choose HTTP DoS and find the newly created policy.

It is also important that we have defined thresholds on NetScaler services; otherwise, NetScaler cannot know how many requests or clients the backend services can handle and the HTTP DoS feature will never trigger.

Setting these values can be done under Services | Thresholds.