Attack | Description | Threshold to monitor/adjust | Events to watch |
SYN attack | An excessive number of packets on a specific TCP port. In most cases, the source address is spoofed. | Layer 3 - TCP protocol (6) Layer 4 - TCP ports on which the server is listening and ports that are allowed by the firewall and ACL Layer 4 - SYN | Protocol 6 Flood SYN Flood Zombie Flood Port Flood |
UDP flood attack | An excessive number of UDP packets. | Layer 3 – UDP protocol (17) Layer 4 – UDP ports on which the server is listening and ports which are allowed by the firewall and ACL | Protocol 17 Flood Port Flood |
ICMP flood | An excessive number of ICMP packets. | Layer 3 – ICMP protocol (1) Layer 4 – ICMP type and code combinations that are allowed by the firewall and ACL | Protocol 1 Flood Layer 4 ICMP Flood of a specific type and code |
Fragment flood | An excessive number of fragmented packets. | Layer 3 – Fragmented packets | Fragment Flood |
Source flood | A single source sends excessive number of IP packets. | Layer 3 – Most active source | Source Flood |
Zombie attack | Too many legitimate IP sources send legitimate TCP packets. | Layer 3 – TCP protocol (6) Layer 4 – TCP ports on which the server is listening and ports that are allowed by the firewall and ACL Layer 4 – SYN Layer 4 – Established connections per destination (estab-per-dst) Layer 4 - SYN per source (syn-per-src) | Layer 3 Protocol 6 SYN Flood Zombie Flood Port Flood SYN Flood from Source |
Slow connection buildup | Legitimate IP sources send legitimate TCP connections but do it slowly and remain idle, which fills up the server’s connection table memory. | Layer 3 – TCP protocol (6) Layer 4 – TCP ports on which the server is listening and ports that are allowed by the firewall and ACL Layer 4 – SYN Layer 4 – New connections Layer 4 - Concurrent connections per source Layer 4 - Concurrent connections per destination | Layer 3 Protocol 6 SYN Flood Zombie Flood Port Flood Excess Concurrent Connections/ Source Excess Concurrent Connections/ Destination |
Slammer attack | An excessive number of packets on UDP Port 1434. | Layer 3 – UDP protocol (17) Layer 4 – UDP port 1434 | Protocol 17 UDP Flood Port Flood – 1434 |
DNS attack | An excessive number of packets on UDP port 53. | Layer 3 - UDP protocol (17) Layer 4- UDP port 53 | Protocol 17 UDP Flood UDP Port 53 Flood ICMP Port/Host not available Flood |
MyDoom attack | Excessive number of packets on HTTP from zombies. | Layer 3 – TCP protocol (6) Layer 4 – TCP port 80 Layer 4 – SYN Layer 4 – New connections Layer 4 – Established Connections | Protocol 6 Flood SYN Flood Zombie Flood Port Flood |
Smurf attack | Traffic that appears to originate from the target server’s own IP address or somewhere on its network. Targeted correctly, it can flood the network with pings and multiple responses. | Layer 3 – ICMP protocol (1) Layer 4 – ICMP type and codes combinations that are allowed by the firewall and ACL | Protocol 1 Flood ICMP Flood of Echo-Request/ Response Type (Type= 0, Code = 0) |
Fraggle attack | Spoofed UDP packets to a list of broadcast addresses. Usually the packets are directed to port 7 on the target machines, which is the echo port. Other times, it is directed to the Character Generator Protocol (CHARGEN) port. Sometimes a hacker is able to set up a loop between the echo and CHARGEN port. FortiDDoS has applicable thresholds for each SPP at Layer 3 and 4. A Layer 4 packet is, by definition, also a Layer 3 packet. However, blocked traffic is only displayed at the highest layer at which a threshold was violated. For example, FortiDDoS identifies a packet causing a TCP connection flood to be Layer 4 dropped traffic only, even though the corresponding Layer 3 envelope is also blocked. | Layer 3 – ICMP protocol (1) Layer 3 – UDP protocol (17) Layer 4 – UDP echo port (7) Layer 4 – Daytime Protocol port (13) Layer 4 – Quote of the Day (QOTD) port (17) Layer 4 – UDP Character Generator protocol (CHARGEN) (19) Layer 4 – ICMP Type/Codes specific to host/port not available | Protocol 1 Flood Protocol 17 Flood UDP Port 7 Flood UDP Port 13 Flood UDP Port 17 Flood UDP Port 19 Flood ICMP Flood of Port Not Available Type, Code (3,3) ICMP Flood of Host Not Available Type, Code (3,1) |
HTTP GET attack | Excessive number of packets on HTTP from zombies. | Layer 3 – TCP protocol (6) Layer 4 – TCP ports on which the server is listening and ports that are allowed by the firewall and ACL Layer 4 – SYN Layer 4 – New Connections Layer 4 - Concurrent connections per source Layer 4 - Concurrent connections per destination Layer 7- HTTP Methods Layer 7 - URL | Protocol 6 Flood SYN Flood Zombie Flood Port Flood TCP Connection Flood HTTP OpCode Flood (HTTP Method Flood) URL Flood |