How to Configure Rate Limiting Feature of NetScaler Appliance to Mitigate DDoS Attack

  • CTX127917
  • Created onMar 26, 2014
  • Updated onApr 02, 2014
Article Topic Load Balancing/High Availability, Security


This article contains information about configuring the Rate Limiting feature of a NetScaler appliance to mitigate a Distributed Denial-of-Service (DDoS) attack.


To configure the Rate Limiting feature of a NetScaler appliance to mitigate a DDoS attack, complete the following procedure from the command line interface of the appliance:

  1. Run the following command to add a rate limiting selector:
    add ns limitSelector dossel CLIENT.IP.SRC
    This command selects the criteria on which the rate limiting must be applied. In the preceding command, the Source IP address of the client is specified as the criterion. It is also possible to reduce the number of false positives for Clients who receive the network traffic through a proxy server, or NAT by including the HTTP request URL as an expression to the limiting selector. Refer to the following example:
    add ns limitSelector dossel CLIENT.IP.SRC HTTP.REQ.URL

  2. Run the following command to define the rate limiting threshold:
    add ns limitIdentifier dosid1 -threshold 6 -selectorName dossel
    The preceding command defines a rate limit threshold. This threshold comprises of a numeric variable limit and a time interval. Here, a threshold of 6 is specified, which ensures that if there are more than 6 requests per second from a specific client, the action defined in the responder policy should be taken.

  3. Run the following command to add a Responder policy:
    add responder policy dospol "CLIENT.IP.DST.EQ ( && SYS.CHECK_LIMIT(\"dosid1\")" RESET
    In the preceding command, replace the IP address,, with the destination IP address of the Virtual IP address.

  4. Run the following command to globally bind the Responder policy:
    bind responder global dospol 1 END -type REQ_DEFAULT

The NetScaler appliance sends a reset packet as soon as the appliance receives more than six requests in one second from a single IP address. The threshold value can be updated according to the request you expect in one second from a legitimate client to access a Web page.

Additional Resources

Applicable Products

Automatic translation

Important: This article was translated by an automatic translation system (also referred to as Machine Translation, or MT) and has not been translated or reviewed by people. Citrix offers a machine translated version of this article to allow for greater access to the support content. However, automatic translation is not always perfect and may contain errors of vocabulary, syntax or grammar. Citrix is not responsible for inconsistencies, errors or damage incurred as a result of the use of MT articles from our customers.Thank you.
Click here to see the English version of this article.
Was this helpful?
Thank you for your feedback

Share your comments or find out more about this topic

Citrix Forums