Netscaler and DDoS

A part of many Network admins day to day tasks involves mitigating DDoS attacks. And they come in many types of shape and size.
But they are share a common goal, disrupting the service for the users. These types of attacks make the service unresponsive and therefore cannot service the regular users who actually need to access the service. Trough out the years there have been many DDoS attacks on many of the HUGE online services.

For instance PayPal, Visa many online banks (Such as DNB in Norway) have suffered of these kinds of attacks, and if you think about it what happens if an online bank is offline ? The business loses a lot of income and the regular users cannot access their online bank account.

Now back to the kind of DDoS attacks. The most common ones are

SYN Flood:
Happens when a host sends a flood of TCP/SYN packets, which are often from an forged address. Each of these packets is handled like a connection request, causing the server to spawn an half-open connection. This is actually just a simple exploit of how TCP connections are established.
I like to think of it as an old lady (who is in disguise) to gives a bag to the server and says (can you hold this bag for me ? ) and of course the server is happy to oblige and therefore holds the bag and then the old lady runs of, and the server is standing there with the bag yelling (“Old lady?”) and then again there comes another old lady (in disguise) which comes with another bag which again the server is happy to help out and again is stuck with two bags.
And as you can see it is only a matter of time before the server cannot hold anymore bags.

ICMP Flood:
Which again is split up in more different types.
The primary with these kinds of attacks is that it uses ICMP. Now the Ping command is pretty simple when run it asks a server, “Are you alive?” and the server says “yes” If you have thousands upon thousands of these kinds of requests they can quickly use up much of the network bandwidth at the server.

Smurf Attack (which is an ICMP flood Attack)
Is another type of attack (Which is usually used where the network isn’t configured correctly) What happens is that a attackers, sends a spoofed IP address ping to an broadcast address in a network, and the reply to address is set to a server address. What happens is that all the clients in that subnet (which are alive and gets the ping request, will repond to the ICMP packet to the server)
These kinds of attacks are usually easy mitigated at the network.
For instance with Cisco you can set a pretty ACL to limit the ICMP traffic

config t
Access-list 100 permit icmp any {your network} {your subnet} echo-reply
Access-list 100 permit icmp any (your Network) (your Subnet) echo
Interface e1
Rate-limit input access-group 100 512000 8000 8000 conform action transmit exceed action drop

Or what you should do is use the command no direct ip-broadcast

Now these 2 are the most common types of low-layer attacks. There are a bunch of layer 7 attacks I will discuss in a later post.
So how does Netscaler come into the picture ?

SYN Flood:

A NetScaler appliance defends against SYN flood attacks by using SYN cookies instead of maintaining half-open connections on the system memory stack. The appliance sends a cookie to each client that requests a TCP connection, but it does not maintain the states of half-open connections. Instead, the appliance allocates system memory for a connection only upon receiving the final ACK packet, or, for HTTP traffic, upon receiving an HTTP request. This prevents SYN attacks and allows normal TCP communications with legitimate clients to continue uninterrupted.

SYN DoS protection on  NetScaler appliance requires no external configuration. It is enabled by default.

ICMP Flood:

The NetScaler also protects network resources from ICMP based attacks by using ICMP rate limiting and aggressive ICMP packet inspection. It performs strong IP reassembly, drops a variety of suspicious and malformed packets, and applies Access Control Lists (ACLs) to site traffic for further protection.
Now if you type sh ns ratecontrol

image

You can see the allowed ICMP packets per MS. 100 is the default value. And by default there are no rate control set on UDP and TCP.

#adc, #ddos, #icmp, #netscaler, #tcp-syn-flood