A Session refers to all requests a single client makes to a server. A session is specific to a user. For each user, a new session is created to track all requests from that user. Every user has a unique session identified by a unique session identifier. Session Tracking enables the Barracuda Load Balancer ADC to limit the number of sessions originating from a particular client IP address in a given interval of time. Limiting the session generation rate by client IP address helps prevent session-based Denial of Service (DoS) attacks. To configure Session Tracking go to the SECURITY > Advanced Security page, scroll to Session Tracking, and click Edit in the Options column.
You can specify the following session protection options:
- New Session Count – Maximum number of new sessions allowed per IP address; Range: 1 - 65535; Default: 10.
- Interval – Time in seconds for which the number of sessions from the same client cannot exceed the New Session Count setting; Range: 1 - 6000 seconds; Default: 60.
- Status – Set to On to enable session tracking.
- Session Identifiers – The token type used to recognize sessions. Choose from the list, or see Configuration of Session Identifiers to add a Session Identifier.
- Exception Clients – List clients which are exempted from this protection. IP address ranges should be separated by a "-" (hyphen). Multiple ranges or IP addresses can be listed with "," (comma) separation. The list should not contain overlapping IP address ranges.
When you have finished configuring these options, click Save.
Configuration of Session Identifiers
Configuring session identifiers allows the Barracuda Load Balancer ADC to recognize session information in requests and responses.
To create a new session identifier, perform the following steps:
- Go to the SECURITY > Libraries page and scroll to the Session Identifiers section.
- Locate the desired identifier and click Edit, or to add a new identifier, click Add Session Identifier.
- Enter or modify the session Identifier Name. This name will appear in the list of Session Identifiers from which you choose when you configure Session Tracking.
- Enter or modify the following session token parameters.
- Token Name
- Token Type
- Start Delimiter
- End Delimiter
- Newly added or edited Session Identifiers appear in the Session Identifiers list on the Edit Session Tracking page on the SECURITY > Advanced Security page in the Session Tracking section.
The following example shows how to enable the Barracuda Load Balancer ADC to extract the Session ID 12345 from session identifier: “JSESSIONID=12345;”
- Token Name – JSESSIONID
- Token Type – Parameter
- Start Delimiter – =
- End Delimiter – ;