Detecting and Mitigating Password Spraying Attacks on NetScaler Gateway

Wow, the longest comment in history! A webinar might be in my wheelhouse…thanks for this btw.

In the world of the NetScaler, documentation, education content, and people focus on a feature or an action. In this case and by no means limited is the action to go to an Auth server / system. With Auth being one of the first steps. The next step is usually a session action. The power of NetScaler is not in the various actions. The power is in the expression or rule. This is getting to be known as conditional access. This is a very long conversation I have had regularly over time in all my training sessions. It is also the place most people fall asleep with the complexity. The policy expression or rule of ns_true or true works and is generally presented in training and documentation. This rule means any (any traffic) , in the case of auth , it means send everything to the auth server. This is a basic allow scripts, to hammer an auth system. The fall back has been well set up MFA. Short answer is build an expression that meets the access requirements. The first step is limiting based on application. This is the difference between a powershell app or a browser. The more detailed on what type of traffic goes to the action the lower the attack surface area is. Maybe Andrew can setup an event.