How can a ddos solution can prevent a server from L7 ddos attack if the traffic is SSL encrypted ?

[ONURCAN KAYMAK]

Suppose that a bot is attacking a server using http get flood using https. How can a ddos detect this flood if the traffic is encrypted ?

[Akhil Nair]

Hi @ONURCAN KAYMAK​ - Are you referring to a volumetric DDoS attack?

[Rick Davis]

The NetScaler is a secure reverse proxy and as such, it has encrypted sessions with both the clients and the servers. During this process it forwards the GET requests and can throttle the rate of these requests to the backend server. See our Rate Limiting documentation.

[Morten Kallesøe]

It can't - how could it? its encrypted.

If you create an SSL vServer with the proper certificate, you decrypt the traffic first, and then a LB+SG with SSL option, to re-encrypt it before going to the backend, you would be able to create some ddos mechanisms.

[ONURCAN KAYMAK]

No I'm not referring a volumetric DDoS attack, my question is that what is the best protection method against L7 DDoS attack especially for not volumetric ones ? Rate Limiting is a good way to prevent from most of L7 DDoS attacks but i think it's better to first decrypt encrypted traffic on L7 DDoS device and then to send it to Citrix ADC to inspect the traffic one more time might be a better solution. I only want to learn best way of it.

[Morten Kallesøe]

Why not let NetScaler (formerly known as Citrix ADC) decrypt it aswell?

also, i think you need to get your terminology straight, a DDoS - Distributed Denial of Service, IS some kind of volume metric attack. DoS - Denial of service, is just taking a service out, without too much fuzz (eg. taking up all connections from a single client and not closing them, leave the device unable to take in more connections - this is just an thought, not something that happens on NetScaler)

Could you please describe what kind of scenarios you are looking to protect from (and be as specific as possible) then we are better able to guide you in the right direction.

Stay True, Stay Real.

[Kai Thorsrud]

Morten is correct and on the right track. The best way would be to let Netscaler decrypt the traffic.

Then you can use Botnet Framework, WAF , IP Reputation or several other of the Netscaler protection features handle it.

I have successfully handled several DDOS attackes using netscalers in the past. The problem is that if you are new to this with no experience implementing the correct protection / rules for the DDOS you are experiencing takes experience and will be a challenge.

I have successfully stopped several ddos attacks and made several companies survive black friday, lauch of playstation 5 and similar. I find Netsclaer to kick ass on stopping L7 DDOS attacks if you can decrypt the traffic. The problem is the config my friend.

Learning protocols, spotting patterns in the attack takes experience..

No i do not have time to help with config.

[Kai Thorsrud]

hehe this was an old post.. didnt notice