Tuning the client detection/JavaScript challenger response rate

After you have enabled and configured HTTP DoS protection, if more than the maximum specified number of clients are waiting in the Citrix ADC surge queue for the HTTP DoS service, the HTTP DoS protection function is triggered. The default rate of challenged JavaScript responses sent to the client is one percent of the server response rate. The default response rate is inadequate in many real attack scenarios, however, and may need to be tuned.

For example, assume that the Web server is capable of a maximum of 500 responses/sec, but is receiving 10,000 Gets/sec. If 1% of the server responses are sent as JavaScript challenges, responses are reduced to almost none: 5 client (500 *0.01) JavaScript responses, for 10000 waiting client requests. Only about 0.05% of the real clients receive JavaScript challenge responses. However, if the client detection/JavaScript challenge response rate is very high (for example, 10%, generating 1000 challenge JavaScript responses per second), it may saturate the upstream links or harm the upstream network devices. Exercise care when modifying the default Client Detect Rate value.

If the configured triggering surge queue depth is, for example, 200, and the surge queue size is toggling between 199 and 200, the Citrix ADC toggles between the “attack” and “no-attack” modes, which is not desirable. The HTTP DoS feature includes a window mechanism with a default size of 20. After the surge queue size reaches the specified queue depth value, triggering “attack” mode, the surge queue size must fall to 20 less than the specified queue depth for the Citrix ADC appliance to enter “no-attack” mode. In the example, the surge queue size must fall below 180 before the appliance enters “no-attack” mode. During configuration, you must specify a value more than 20 for the QDepth parameter when adding a DoS policy or setting a DoS policy.

The triggering surge queue depth should be configured on the basis of previous observations of traffic characteristics. For more information about setting up a correct configuration, see Guidelines for HTTP DoS protection deployment.

Tuning the client detection/JavaScript challenger response rate