Netscaler 10.1 DoS Attack to Backend Web Server
Posted on 2015-01-22
Here is our setup.
Firewall -> Netscaler’s in HA setup -> Backend Windows 2008 Web Servers
We had an issue where one of the website hosted by our web servers was getting attacked. Mind you these web servers host many websites but only one was affected. Our Web Admins stated they were seeing thousands of request coming in for web pages that do not exist. Our Security Team noticed in the firewall the attack was not coming from one but from a large number of IP’s not all in the same IP block.
Long story short the attacked was stopped by blocked the IP’s in the firewall. On the Netscaler side during the attacked I noticed thousands of connections to the VIP address for this site which is more than normal. Our web team was reporting they were seeing thousands of passive connections that keep increasing very fast until the server needed to be reboot again.
1) Are there any settings on the Netscaler I should look at to prevent this from happing again?
2) We are load balancing the site yet the Web Team reported most of the passive connections were focused on one server? How could this be in “Least Connections” load balanced setup. Please note the site responds on http and https.
3) The java GUI is very slow to get real-time connection information like source IP , destintation IP etc.. Is there a log file I could view?
4) On a side note what log files should I view to check the overall health and number of open connections that have not timed out?