How to Implement Exponential Back-off Algorithm on a NetScaler Appliance

How to Implement Exponential Back-off Algorithm on a NetScaler Appliance

book

Article ID: CTX136565

calendar_today

Updated On:

Description

This article describes how to implement exponential back-off algorithm on a NetScaler appliance.

Background

Exponential time-block algorithm is about mitigating dictionary attacks. Dictionary attacks are mostly brute force attacks in which the attacker tries a random combination of username/password to complete a successful authentication on an interface. This is completed generally in a loop, firing many requests every second till a successful combination is found. Exponential back-off algorithm blocks an attacker from issuing anymore authentication requests for a time that depends on the number of requests the attacker has made in the past and the time elapsed since then. Following is the general formula:

E(c) = 1/2 * (2(pow,c) - 1)

where,

c is the number of attempts

E(c) is the time in seconds for which you must block the user.

Attempts

Lockout (s)

Lockout (h, m, s)

1

0

0s

2

2

2s

3

4

4s

4

8

8s

5

16

16s

6

32

32s

7

64

1m 4s

8

128

2m 8s

9

256

4m 16s

10

512

8m 32s

11

1024

17m 4s

12

2048

34m 8s

13

4096

1h 8m 16s

14

8192

2h 16m 32s

15

16384

4h 33m 4s

The general purpose this algorithm serves is that it takes more and more time for an attacker to issue a next authentication request after the last attack has failed. Because brute force dictionary attacks are highly dependent on large number of random requests sent, this algorithm serves to stop them.

How Does a NetScaler Appliance Implement Exponential Back-off Algorithm

To implement this algorithm, you can use the built-in NetScaler HTTP Callouts feature. See Citrix Documentation - HTTP Callouts for more information.

The following basic components are required to implement exponential back-off algorithm or any such algorithm:

  • A Responder/Rewrite policy that is hit on action such as authentication on interface.
  • An HTTP Callout which will be called when policy.1 is hit.
  • A Web Server to which HTTP callout makes a call to carry out an operation with data obtained when policy.1 is hit. This can also be a NetScaler Apache server.
  • A Script such as php, perl, or any language which processes data sent by the callout in three and responds back. This is where the algorithm is implemented.
  • A Database in Web server generally a text document handled by script.4 that keeps tracks of authentication request issued by an IP address in past, the block time.

After the script responds back, the connection is either allowed or disallowed. The block is maintained for the time calculated according to the formula given earlier.

Instructions

To implement exponential back-off algorithm, complete the following procedure:

  1. Add an HTTP Callout which makes a callout to a Web resource (executable):
    set policy httpCallout log_ip -IPAddress 192.168.101.56 -port 80 -returnType BOOL -hostExpr 192.168.101.56 -urlStemExpr "\"/exponential.php\"" -headers My-Header("This is my callout") -parameters ip(CLIENT.IP.SRC) -resultExpr "HTTP.RES.BODY(1000).AFTER_STR(\"action:\").EQ(\"block\")"

  2. Match a failed authentication, which generally is a 401 message, with a rewrite policy and bind it at the global level:
    add rewrite policy unauth_rew_policy "HTTP.RES.STATUS.EQ(404) && SYS.HTTP_CALLOUT(log_ip)" RESET
    bind rewrite global unauth_rew_policy 1 END -type RES_DEFAULT

  3. Upload the script that implements the algorithm to a Web server. The following is a sample file for Exponential Back-off algorithm (exponential.php):
    You can download the sample exponential.php script attached in this article.

    Sample ns.conf for Exponential Back-off setup

    add ns ip 192.168.101.121 255.255.255.0 -type snip
set ns ip 192.168.101.121 -mgmtAccess enabled
add policy httpCallout log_ip
set policy httpCallout log_ip -IPAddress 192.168.101.121 -port 80 -hostExpr '"nitro.example.net"' -returnType BOOL -httpMethod POST -urlStemExpr "\"/exponential.php\"" -headers Content-Type("application/x-www-form-urlencoded") Authorization("Basic bnNyb290Om5zcm9vdA==") -parameters ip=192.168.101.26 -resultExpr q/HTTP.RES.BODY(1000).AFTER_STR("message\": \"").BEFORE_STR("\"").EQ("Done")/
add responder policy call_log_ip "HTTP.REQ.METHOD.EQ(GET) && SYS.HTTP_CALLOUT(log_ip)" NOOP
set responder policy call_log_ip -rule "HTTP.REQ.METHOD.EQ(GET) && SYS.HTTP_CALLOUT(log_ip)" -action NOOP
add lb vserver v1 http 192.168.101.125 80
add service s1 192.168.101.87 http 80
bind lb vserver v1 s1
bind lb vserver v1 -policyName call_log_ip -priority 100 -gotoPriorityExpression NEXT

Environment

The above mentioned sample code is provided to you as is with no representations, warranties or conditions of any kind. You may use, modify and distribute it at your own risk. CITRIX DISCLAIMS ALL WARRANTIES WHATSOEVER, EXPRESS, IMPLIED, WRITTEN, ORAL OR STATUTORY, INCLUDING WITHOUT LIMITATION WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, TITLE AND NONINFRINGEMENT. Without limiting the generality of the foregoing, you acknowledge and agree that (a) the sample code may exhibit errors, design flaws or other problems, possibly resulting in loss of data or damage to property; (b) it may not be possible to make the sample code fully functional; and (c) Citrix may, without notice or liability to you, cease to make available the current version and/or any future versions of the sample code. In no event should the code be used to support ultra-hazardous activities, including but not limited to life support or blasting activities. NEITHER CITRIX NOR ITS AFFILIATES OR AGENTS WILL BE LIABLE, UNDER BREACH OF CONTRACT OR ANY OTHER THEORY OF LIABILITY, FOR ANY DAMAGES WHATSOEVER ARISING FROM USE OF THE SAMPLE CODE, INCLUDING WITHOUT LIMITATION DIRECT, SPECIAL, INCIDENTAL, PUNITIVE, CONSEQUENTIAL OR OTHER DAMAGES, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. Although the copyright in the code belongs to Citrix, any distribution of the sample code should include only your own standard copyright attribution, and not that of Citrix. You agree to indemnify and defend Citrix against any and all claims arising from your use, modification or distribution of the sample code.

Issue/Introduction

This article describes how to implement exponential back-off algorithm on a NetScaler appliance.

Additional Information

Wikipedia - Exponential backoff

Citrix Documentation - HTTP Callout

Citrix Blog - Dynamic and runtime configuration in NetScaler using HTTP callout and NITRO

Advantages of Using a NetScaler Appliance

  • No need to learn any new language or rules-provided-by-vendor-product.

  • Can implement through a simple php/perl/any-language script.

  • Separate infrastructure is not required.

  • A generic setup can work with a different algorithm by pointing to a different script.

More Callouts

  • Run the following command to put an exponential block on all login requests, whether accepted or rejected, coming from an IP:
    add responder policy zxc "HTTP.REQ.URL.EQ(\"/login/do_login\") && HTTP.REQ.BODY(1000).EQ(\"username\") && SYS.HTTP_CALLOUT(log_ip)" RESET
    bind responder global call_log_ip 1 END -type REQ_DEFAULT

  • Run the following command to put exponential block when a user tries to access a non-existing object:
    add rewrite policy unauth_rew_policy "HTTP.RES.STATUS.EQ(404) && SYS.HTTP_CALLOUT(log_ip)" RESET
    bind rewrite global unauth_rew_policy 1 END -type RES_DEFAULT

Sample Exponential Back-off Script

Download the attachment for this article which is the sample exponential back-off script.

Powered by Wolken Software