The patented combination of purpose-built hardware and heuristics allow you to deploy the FortiDDoS appliance inline (for example, between the external network and a protected server), where it can receive, process, and transmit packets at a high rate, even when an attack is underway. FortiDDoS introduces a latency of approximately a few microseconds and has a response time of 2 seconds or less.

FortiDDoS learns based on inbound and outbound traffic patterns. You first deploy the system in Detection Mode. In Detection Mode, the system operates with high (factory default) thresholds and does not drop any packets.

At the end of the initial learning period, you can adopt system-recommended thresholds (usually lower than the factory default) and continue to use Detection Mode to review logs for false positives and false negatives. As needed, you repeat the tuning: adjust thresholds and monitor the results.

When you are satisfied with the system settings, change to Prevention Mode. In Prevention Mode, the appliance drops packets and blocks sources that violate ACL rules and DDoS attack detection thresholds.

FortiDDoS begins learning traffic patterns as soon as it begins monitoring traffic, and it never stops learning. It continuously analyzes traffic rates and dynamically adjusts the thresholds that differentiate between legitimate traffic volume and attacks.

FortiDDoS uses rate-based analysis, which protects against attacks that hackers have not yet imagined. Administrators do not need to intervene, and the appliance is “on guard” 24/7, automatically protecting your network systems and bandwidth.

The FortiDDoS specialized hardware is designed to monitor thresholds for all traffic it sees at Layers 3, 4, and 7. It tracks throughput, packet rate, new connections, TCP state transitions, fragments, checksums, flags, and so on. You can set thresholds on the appropriate traffic parameter to limit traffic for particular systems or applications.

The FortiDDoS specialized hardware enables deep packet inspection. FortiDDoS can identify header fields in HTTP packets and maintain specific thresholds for specific URLs. This granularity enables the system to distinguish between attacks against a specific URL and legitimate traffic to other resources.

Many botnets have started using slow connection build up as a mechanism to confuse security appliances and thus effectively overload the servers. FortiDDoS can identify these types of attacks by monitoring thresholds for partial requests. When an attack is detected, the system “aggressively ages” the connections, recovering resources for protected servers.

A proprietary algorithm matches incoming connection requests with known IP addresses to mitigate SYN attacks without the overhead of connection proxies. Legitimate users can connect or remain connected, even during a SYN flood attack.

FortiDDoS tracks connection and rate behavior per source IP address, so it can identify the source of attacks and apply more stringent limits to the traffic they send to your servers.

FortiDDoS maintains up to 8 sets of counters and thresholds that you assign to a subnet as a group. Thus, a single appliance can protect up to 8 subnets, each identified by an IP address representing a server or group of networked servers. Each of these virtual protection zones—called Service Protection Profiles—learns traffic patterns and estimates adaptive thresholds independently. You can assign each profile an independent administrator, which is useful in multi-tenant environments such as an ISP.

The on-box reporting tools enable graphical analysis of network traffic history from five minutes to one year. You can analyze traffic profiles using a broad range of Layer 3, 4 or 7 parameters. With just a few clicks, you can create intuitive and useful reports such as top attackers, top attacks, top attack destinations, top connections, and so on.

Traffic monitor graphs display trends in throughput rates and drop counts due to threat prevention actions. In Detection Mode, the drop count is hypothetical, but useful as you tune detection thresholds.

You can monitor FortiDDoS events using the web UI, SNMP, or email event notification.