Conventional stateful firewalls drop packets or stateful connections, but they cannot correlate packets to a source. FortiDDoS has a unique feature that allows it to promptly correlate attacks and verify if they are initiated by a single host. If it can do that (in case it is a non-spoofed attack), it blocks the offending source for a longer period of time.

It is important to understand the differences between a stateful firewall and a stateful NBA system such as FortiDDoS. Here are the key differences: Conventional stateful firewalls have rules that allow or deny packets or individual connections based on their individual characteristics. They do not remember packets in an aggregate way.

FortiDDoS operates on an aggregate basis. It looks at packet rates—typically within one second, over a period of time. It measures packet rates for various Layer 3, 4, and 7 parameters and compares against thresholds set for them. If the rate exceeds the threshold, it blocks them for a configured period.

In a firewall, the administrator can set a rule that allows the UDP destination port 1434 regardless of the rate. A FortiDDoS administrator, on the other hand, can set a rule that allows UDP 1434 only if the rate is within 10 packets per second. Beyond this rate, the UDP packets destined to that port are dropped.

There are some features in FortiDDoS that are similar to a firewall. Like a firewall, FortiDDoS allows you to configure Layer 3, 4, and 7 blocking conditions. It is therefore important to learn how to migrate a firewall security policy to a FortiDDoS security policy.