In some cases, it might not be that easy to detect an attack. For instance, in a suspected HTTP DDoS attack, a web server may be attacked with legitimate traffic, and therefore they are regular HTTP requests. This is where we can use HTTP DoS protection. HTTP DoS protection allows NetScaler to respond with a JavaScript challenge to all incoming HTTP requests. Now, since an HTTP DDoS attack is typically done using a cluster of multiple nodes running a scripted attack, these nodes do not support any form of JavaScript request. Therefore, when they cannot respond to the JavaScript challenge, NetScaler closes the connection. Regular users who surf through a regular browser that supports JavaScript are therefore granted access. This happens in the background, and the user never sees that it happens. Enabling HTTP DoS puts a lot of strain on NetScaler, especially if there is a lot of traffic and the client detect rate is at 100 percent.

To enable HTTP DoS, navigate to Security | Protection | HTTP DoS, and click on Add.

Then, provide the policy with a name and enter a queue depth—a representation of the number of outstanding requests to the system—before the HTTP DoS feature is enabled. Next, enter a client detect rate: this is a percentage value between 0 and 100 that defines the percentage of requests that should get the JavaScript challenge after the HTTP DoS feature is triggered. By default, the value is set to 1% in the global HTTP DoS parameters.

After we have created an HTTP DoS policy, we must bind it to our services. Go to Traffic Management | Services, then choose the services that this should be enabled for. Next, go into policies and click on the + sign and choose HTTP DoS, where you will find the newly created policy.

It is also important that we define thresholds on the NetScaler services. If not, NetScaler will not know how many requests or clients the backend services can handle, and the HTTP DoS feature will never be triggered.

These values can be set under Services | Thresholds.