The FortiDDoS system maintains traffic history for each SPP. It uses this data to generate recommended thresholds, dynamically adjust thresholds, and generate traffic statistics. If you change the SPP policy configuration or the resources it monitors, the data can become skewed. For example, if you remove a subnet from the profile, or change the servers that are deployed in the subnet, or change the services offered by those servers, the traffic history becomes less relevant. Fortinet strongly recommends that you reset the traffic history for a profile before you make any significant changes to its configuration. Go to Protection Profiles > Factory Reset > Factory Reset. If you do not reset traffic statistics, changes to an SPP policy can result in counter-intuitive data accumulated in the longer reporting periods (year, month). For example, if a subnet belonged to the default SPP-0 before you assigned it to SPP-1, a report filtered by SPP-1 includes the SPP-0 traffic history for that subnet. |
Best Practice: Provision a separate SPP for UDP Unlike TCP traffic, the system does not track the state of UDP and DNS traffic. This means that for UDP traffic, FortiDDoS does not differentiate requests from responses. We recommend you provision a separate SPP for UDP traffic so that it is easier to administer during attacks. You might need to tune thresholds more frequently. If you configure user-defined thresholds, it is recommended to start with outbound UDP port thresholds that are reasonably high values. If you use thresholds for UDP ports that are too low, the system might block harmless UDP traffic. The only mitigation mechanisms for UDP attacks are source tracking and rate limiting. The source tracking feature detects attacks from a single source or a limited number of sources. However, if the attack is distributed, the rate limiting feature limits all UDP traffic in the SPP, including legitimate traffic. It cannot limit only the UDP traffic that is associated with the attack. Alternatively, to avoid issues with DNS in FortiDDoS deployments, consider using DNS forwarders. |