In computing, a denial-of-service attack (DoS attack) is a cyber-attack in which the perpetrator seeks to make a machine or network resource unavailable to its intended users by temporarily or indefinitely disrupting services of a host connected to the Internet. Denial of service is typically accomplished by flooding the targeted machine or resource with superfluous requests in an attempt to overload systems and prevent some or all legitimate requests from being fulfilled.

This is where we can use HTTP DoS protection. HTTP DoS protection allows ADC to respond with a JavaScript challenge to incoming HTTP requests. Since a HTTP DoS attack is typically done using a cluster of many nodes running a scripted attack, these nodes do not support any form of JavaScript request; therefore, when they cannot respond to the JavaScript challenge, ADC closes the connection. Regular users surfing with a regular browser support JavaScript and are therefore granted access.

Typically, the HTTP DOS Protection feature gets activated when the number of outstanding HTTP service requests (i.e., queue depth) on the system is lower than a configured value. Once activated, the HTTP DOS Protection policy is then automatically applied to the configured percentage of HTTP requests from clients - if this percentage is 100, then the policy is applied to all HTTP requests received from clients. In this case therefore, ADC will respond with a JavaScript challenge to all incoming requests.

Where HTTP DOS Protection is at play, it is only natural that administrators prefer to be notified every time the policy is triggered, and also be informed of the number of clients that are allowed access as per the policy. This will help them review the DOS protection settings, and figure out if they need to be tweaked. To achieve this, administrators can use the HTTP DOS test.

This test alerts administrators if the condition that is set for triggering DOS protection is fulfilled. In which case, the test reports the count of HTTP clients for which ADC's DOS protection feature allowed service access. Additionally, the test also reports the number of clients that ADC's Priority Queuing feature has granted DOS priority to.

Target of the test : A Citrix ADC VPX/MPX

Agent deploying the test : A remote agent

Outputs of the test : One set of results for the Citrix ADC VPX/MPX appliance being monitored.

Configurable parameters for the test
Parameter Description

Test Period

How often should the test be executed.


The IP address of the host for which the test is being configured.

NetScaler Username, NetScaler Password, and Confirm Password

To monitor a ADC device, the eG agent should be configured with the credentials of a user with read-only privileges to the target ADC device. Specify the credentials of such a user in the NetScaler Username and NetScaler Password text boxes. Then, confirm the password by retyping it in the Confirm Password text box.


The eG agent collects performance metrics by invoking NITRO (ADC Interface Through Restful interfaces and Objects) APIs on the target ADC device. Typically, the NITRO APIs can be invoked through the HTTP or the HTTPS mode. By default, the eG agent invokes the NITRO APIs using the HTTPS mode. This is why, the SSL flag is set to Yes by default. If the target ADC device is not SSL-enabled, then the NITRO APIs can be accessed through the HTTP mode only. In this case, set the SSL flag to No.

Measurements made by the test
Measurement Description Measurement Unit Interpretation

DOS condition triggered

Indicates the number of times during the last measurement period the ADC appliance triggered the DOS JavaScript due to a condition match.


A non-zero value for this measure indicates that the queue depth has fallen below the configured threshold limit, activating the HTTP DOS Protection feature.

Valid DOS clients

Indicates the number of clients from ADC appliance that received a valid DOS cookie during the last measurement period



DOS priority clients

Indicates the number of valid clients that were given DOS priority during the last measurement period.


The Surge Protection, and Priority Queuing features help manage DOS attacks. When a protected website or application receives too many requests at once, the Surge Protection feature detects the overload and queues the excess connections til the server can accept them. The Priority Queuing feature ensures that whoever most needs access to a resource is provided access without having to wait behind other lower-priority requests.