With the rate limiting feature in Citrix NetScaler, we can define a maximum load for load balancing virtual servers or configured backend servers. With this feature, we can configure so as to let Citrix NetScaler monitor the rate of traffic. Based on the configured rate limiting, Citrix NetScaler can block access for example. This monitoring feature is real-time. The rate limiting feature is especially useful when the network is under attack. So, with rate limiting, it's possible to prevent Distributed Denial-of-Service (DDoS) attacks. By using rate limiting, we can improve the reliability of the network and the resources that are presented by Citrix NetScaler.
Monitoring and controlling of the rate of traffic can be done based on:
- Virtual servers
- URLs
- Domains
- Combinations of URLs and domains
- User-defined expressions
With rate limiting, it's possible to throttle the traffic rate when it's too high. It's also possible to redirect traffic to another load balancing virtual server if it exceeds the configured limits. We can apply these rate-based monitors to HTTP, TCP, and DNS requests.
For every instance or request, it's possible to configure different limiters. The different options available will be described shortly.
In order to use limiters, we need filters to identify where the limit needs to be configured. These filters are called rate limiting selectors. A lot of predefined filters are already available, but if necessary, we can create a new one.
Rate limiting can be accessed using the following code in, for example, rewrite policies and responder policies:
SYS.CHECK.LIMIT(NAMEOFTHECREATEDRATELIMITIDENTIFIER)
Go to AppExpert | Rate Limiting | Selectors and click on Add. Fill in the correct information based on this explanation:
- Name: This will be the name where the rate limiting selector will be named to
- Expressions: This will be the expression used to identify where the rate limiting should filter, for example,
CLIENT.IP.SRCorHTTP.REQ.LB_VSERVER.NAME
After we have created the selector, we will create the actual Limit Identifier. This Limit Identifier contains settings about the limit. Fill in the correct information based on the following explanation:
- Name: This will be the name where the Rate Limit Identifier will be named to.
- Selector: Choose the selector created in the preceding step, or select a predefined one.
- Mode: We can use
REQUEST_RATE,CONNECTION, orNONE. WithREQUEST_RATE, we monitor the requests/time slice; withCONNECTION, we monitor the active transactions; and withNONE, we don't define any type of traffic for tracking. - Limit Type: This option will be available only when you are using
REQUEST_RATE. With Limit Type, we can select two types:SMOOTHandBURSTY. WithSMOOTH, we spread the permitted number of requests in a given interval of time in the configured time slice. WithBURSTY, we only allow the maximum configured quota in the time slice. - Threshold: This option allows the maximum number of requests in the configured time slice. When
REQUEST_RATEis selected, the mode will be the maximum tracked requests. In theCONNECTIONmode, this threshold will be the total number of allowed connections. - Time Slice: This contains information about the time interval that will be used to verify that the threshold has been exceeded. The time will be in milliseconds.
- Maximum Bandwidth: This is the maximum permitted bandwidth in kbps.
- Traps: This is the number of traps that will be sent in the time slice by SNMP.