ADC

HTTP and TCP attack detection and logging

NetScaler provides comprehensive logging capabilities for HTTP and TCP attack events and non-RFC compliant traffic. This feature enhances security monitoring by providing detailed visibility into dropped packets and security violations that were previously only tracked through counters.

The new logging functionality enables administrators to identify malicious traffic sources with complete connection details. Administrators can monitor RFC compliance violations for troubleshooting and security purposes. Also, administrators can track attack patterns with contextual information for forensic analysis and configure flexible logging levels to filter events based on severity requirements.

Note:

The HTTP and TCP attack event logging feature is available starting from NetScaler version 14.1 build 51.x.

Key benefits

This enhanced logging capability delivers significant value across the following critical business areas:

  • Immediate threat response with real-time detection and forensic analysis.

  • Operational efficiency through faster incident resolution and automated compliance reporting.

  • Cost optimization using targeted remediation and proactive security monitoring that reduces overall incident volume.

Supported attack types and log levels

NetScaler’s attack event logging covers a comprehensive range of security threats and protocol violations across both HTTP and TCP layers. The system automatically categorizes events by severity level (ALERT, WARNING, ERROR) to enable appropriate prioritization and response workflows in your security operations.

HTTP attack detection

NetScaler monitors and logs various HTTP-based security threats and protocol violations. These threats are classified into multiple categories based on their potential impact and security risk.

The following HTTP-based attacks and violations are logged:

ALERT level - Active security attacks requiring immediate attention:

These attacks require immediate attention and pose significant security risks to your infrastructure.

  • Desync Attack

  • Slow Loris Attack

  • Slow Post Attack

  • HTTP/2 Ping Flood

  • HTTP/2 Reset Flood

  • HTTP/2 Settings Flood

  • HTTP/2 Empty Frame Flood

WARNING level - Protocol violations and non-compliant traffic:

These violations indicate non-standard HTTP behavior that suggests malicious intent or application issues requiring investigation.

  • Invalid Body

  • Invalid Character in header field name

  • Invalid symbol character in header field name

  • Duplicate headers

  • Duplicate host headers

  • Header overflow

  • Invalid host header

ERROR level - Connection tracking failures and invalid requests:

These events capture connection abnormalities that indicate attack attempts or system issues affecting request processing.

  • Various connection tracking aborted scenarios when requests are marked as invalid.

TCP attack detection

NetScaler detects and logs network-layer TCP attacks that target connection establishment and data transmission protocols, providing visibility into sophisticated network-based threats.

ALERT level - Critical network attacks targeting TCP infrastructure:

These events represent sophisticated network-level attacks that attempt to exhaust system resources or exploit TCP protocol weaknesses.

  • SYN flood attack

  • Segments smack attacks

  • Small window attacks

Log information template

Every security event is logged with a standardized set of data fields that provide complete context for threat analysis and incident response.

Each logged event includes the following comprehensive information:

Field Description
Event Category Type of attack or violation detected
Source IP Client IP address
Source Port Client port number
Destination IP Target server IP address
Destination Port Target server port
Protocol HTTP or TCP
Payload Sample First 128 bytes of packet payload
Context Description Human-readable explanation of the violation

Configure audit log (Syslog and Nslog) with HTTP and TCP attack logging by using the CLI

To implement the HTTP and TCP attack detection and logging feature, a new -protocolViolations parameter is added to audit log related commands. This parameter enables logging of protocol violations and attack events for specified protocols. The -protocolViolations parameter currently supports the following values:

  • ALL: Enables logging for all supported protocol violations and attacks

  • NONE: Disables protocol violation logging (default value).

The -protocolViolations parameter is available in the following audit log configuration commands:

set syslogparams [-protocolViolations <protocol> ...]

add audit syslogAction <name> <syslog server IP> <loglevel> [-protocolViolations <protocol> ...]

set nslogparams [-protocolViolations <protocol> ...]

add audit nslogAction <name> <nslog server IP> <loglevel> [-protocolViolations <protocol> ...]
<!--NeedCopy-->

Configure audit log (Syslog and ns log) with HTTP and TCP attack logging by using the GUI

  1. Navigate to Configuration > System > Auditing > Syslog or Nslog.

  2. Select the Servers tab.

  3. Click Add.

  4. In the Create Auditing Server page, populate the relevant fields.

  5. Select the Protocol Violations checkbox.

  6. Click Create.

Implementation and configuration

The following configuration examples demonstrate different deployment scenarios for enabling attack event logging based on your environment’s specific requirements and security monitoring strategy:

Use case 1: Global external syslog server

This configuration is ideal for organizations that require centralized security monitoring across their entire NetScaler infrastructure. NetScaler sends all violation and attack logs to an external syslog server for centralized monitoring.

To configure this setup, perform the following procedure:

  1. Create a syslog action for an external server.

    At the command prompt, type:

    add audit syslogAction external_act <syslog server IP> logLevel ALL -protocolViolations ALL
    <!--NeedCopy-->
    

    Example:

    add audit syslogAction external_act 10.146.121.48 -logLevel ALL -protocolViolations ALL
    <!--NeedCopy-->
    
  2. Create and bind syslog policy.

    At the command prompt, type:

    add audit syslogPolicy external_pol TRUE external_act
    
    bind audit syslogGlobal -policyName external_pol -priority 100
    <!--NeedCopy-->
    

Use case 2: Local syslog server

For smaller deployments or environments with specific data locality requirements, local syslog configuration provides a simpler alternative. Configure a local syslog server to capture all protocol violations.

To enable protocol violation logging on local syslog, run the following command:

set syslogparams -protocolViolations ALL
<!--NeedCopy-->

Use case 3: Multiple external servers per virtual server

If you need more flexibility for complex environments, you can configure different virtual servers to send their logs to different destinations. This means that you can have some virtual servers sending logs to one server while others send to a different server, all with their own specific configurations.

To configure this setup, run the following commands in sequence:

  1. Configure the first external server (all events).

    add audit nslogAction external_act_1 <nslog server IP> logLevel ALL -protocolViolations ALL
    <!--NeedCopy-->
    

    Example:

    add audit nslogAction external_act_1 10.146.121.48 -logLevel ALL -protocolViolations ALL
    
    add audit nslogPolicy external_pol_1 TRUE external_act_1
    <!--NeedCopy-->
    
  2. Configure a second external server (critical events only).

    add audit nslogAction external_act_2 <nslog server IP> logLevel ALERT WARNING -protocolViolations ALL
    <!--NeedCopy-->
    

    Example:

    add audit nslogAction external_act_2 10.146.127.50 -logLevel ALERT WARNING -protocolViolations ALL
    
    add audit nslogPolicy external_pol_2 TRUE external_act_2
    <!--NeedCopy-->
    
  3. Bind policies to a specific virtual server.

    bind lb vserver vserver1 -policyName external_pol_1 -priority 100
    
    bind lb vserver vserver1 -policyName external_pol_2 -priority 110
    <!--NeedCopy-->
    

Use case 4: Filter logging by severity

When dealing with high-traffic environments, filtering logs by severity helps manage log volume while maintaining focus on critical security events. You can configure logging to capture only critical attacks (ALERT level) to reduce log volume.

  1. Create syslog action for critical events only.

    add audit syslogAction external_act 10.146.121.48 -logLevel ALERT -protocolViolations ALL
    <!--NeedCopy-->
    
  2. Create and bind syslog policy.

    add audit syslogPolicy external_pol TRUE external_act
    
    bind audit syslogGlobal -policyName external_pol -priority 100
    <!--NeedCopy-->
    

Best practices

Follow these recommended practices to maximize the effectiveness of attack logging while maintaining optimal system performance:

  • Start with WARNING level to understand your traffic patterns before enabling all log levels.

  • Use external syslog servers for production environments to ensure log persistence.

  • Configure log rotation to manage disk space on syslog servers.

  • Set up alerting on ALERT level events for immediate threat response.

  • Regularly review logged events to identify trends and adjust security policies.

Troubleshooting

When implementing attack event logging, you might encounter configuration challenges or performance considerations. The following guidance helps resolve common issues:

  • Ensure syslog server connectivity before enabling logging.

  • Verify log level compatibility with your SIEM or log analysis tools.

  • Check that network policies allow syslog traffic to external servers.

To ensure optimal system performance while maintaining comprehensive security monitoring, consider the following recommendations:

  • Monitor NetScaler performance when enabling comprehensive logging.

  • Consider using filtered logging (ALERT only) for high-traffic environments.

  • Implement log aggregation for multiple NetScaler instances.