DDoS & Bot Mitigation Service for your Applications with Citrix Managed Services

Citrix Application Delivery and Security (CADS) Service  
 

Citrix ADS Service, a new SaaS from Citrix, radically simplifies application delivery and security and accelerates IT modernization by bringing is Intent based configuration, automated self-healing and internet awareness to hybrid multi-cloud deployments (more info).  

Citrix ADS service will improve and simplify your secure app delivery and ensure compliance by deploying infrastructure in your public cloud data center. We can enhance this service offering further by leveraging the Citrix Web Application and API Protection Service’s (CWAAP) DDoS Mitigation Service to make the solution secure and protected from denial-of-service. 
 

CWAAP Provisioning:  
 

The Citrix Web App and API Protection (CWAAP) service is comprised of two components, CWAAP DDoS Protection DNS Redirect Always-On and CWAAP WAF/Bot. The DNS redirect service is used to direct your traffic to the CWAAP infrastructure and protect against volumetric DDoS attacks while the CWAAP service will manage the logging, blocking and violation reporting of your application traffic.  

In order to provision the DDoS services, you must have pre-deployed your application infrastructure in your public cloud data center. This could comprise of applications delivered through Citrix Managed or Self-Managed or both services. To deliver your application on your public cloud with CADS service, follow the guide here. Figure1 depicts the solution’s architecture. User traffic is filtered by CWAAP. Your application is protected from harmful attacks and only legitimate user traffic reaches your NetScaler’s and optimal application server is chosen for content delivery.  

Figure1: Architecture for CWAAP and CADS integration for end to end application security 

Steps to Integrate CADS service Application with CWAAP 
 

1. Your application FQDN, mysecureapp.adservicedemo.com in the following example is mapped to the public autogenerated FQDN of CADS service endpoint.  Here we see the CNAME mapping in AWS route 53 service, this could be an entry in any other DNS provider.   

2. Now you need to configure your CWAAP to serve your application traffic and protect it from DDoS and Bots.  

CWAAP is configured and managed through a flexible SaaS portal. The CWAAP service portal, accessible through a browser, enables security admins to configure attack protections, monitor attack activity through a dashboard, or report on events.  

Under Configuration -> Assets -> Create Asset  

Specify the Service config, Frontend SSL, Port 443. Backends is the Auto-generated address as shown in Step 1. You need to upload your SSL certificate for the domain mysecureapp.adsservicedemo.com and enable Force Backend SNI with SNI common name mapping to you application FQDN. 

3. In your DNS provider (Route 53 here) change the CNAME entry for the application FQDN to map to the CWAAP Asset IP address (156.154.117.59) 

4.  CWAAP Bot policies and custom rules are configurable through the SaaS portal. 

1.  Bot Profile – Protections and Signatures 

Bot Signatures: All default signatures are enabled. 

IP Reputation: IP Reputation was configured in Log only mode for all malicious IPs. 

5. All information about Bot violations has been presented in the interactive Bot Dashboard – where you can see, what is targeted – from Host, IP, URL standpoint, and you can do mouseover for longer URLs, and GEO distribution of the attacks – origin in this case.