Guidelines for HTTP DoS protection deployment

Citrix recommends you to deploy the HTTP DoS protection feature in a tested and planned manner and closely monitor its performance after the initial deployment. Use the following information to fine-tune the deployment of HTTP DoS Protection.

  • The maximum number of concurrent connections supported by your servers.
  • The average and normal values of the concurrent connections supported by your servers.
  • The maximum output rate (responses/sec) that your server can generate.
  • The average traffic that your server handles.
  • The typical bandwidth of your network.
  • The maximum bandwidth available upstream.
  • The limits affecting bandwidth (such as external links, a particular router, or other critical devices on the path that may suffer from a traffic surge).
  • Whether allowing a greater number of clients to connect is more important than protecting upstream network devices.

To determine the characteristics of a HTTP DoS attack, you should consider the following issues.

  • What is the rate of incoming fake requests that you have experienced in the past?
  • What types of requests have you received (complete posts, incomplete gets)?
  • Did previous attacks saturate your downstream links? If not, what was the bandwidth?
  • What types of source IP addresses and source ports did the HTTP requests have (e.g., IP addresses from one subnet, constant IP, ports increasing by one).
  • What types of attacks do you expect in future? What type have you seen in the past?
  • Any or all information that can help you tune DoS attack protection.
Guidelines for HTTP DoS protection deployment