Settings | Guidelines |
Operating Mode | |
Inbound operating mode | Set the mode for traffic received from WAN-side interfaces: • Detection—Logs events and builds traffic statistics for the profile but does not limit or block traffic. • Prevention—Limits and blocks traffic that exceeds thresholds. |
Outbound operating mode | Set the mode for traffic received from LAN-side interfaces: • Detection—Logs events and builds traffic statistics for the profile but does not limit or block traffic. • Prevention—Limits and blocks traffic that exceeds thresholds. |
SYN Flood Mitigation Mode | |
SYN flood mitigation direction | Enable the feature for one or both traffic directions: • Inbound • Outbound Note: If you do not enable SYN flood mitigation, and the TCP session feature control syn-validation option is enabled, then during a flood, packets from sources not in the legitimate IP address table are not given the opportunity to complete the antispoofing challenge. The packets will be dropped. |
SYN flood mitigation mode | • ACK cookie—Sends the client two ACK packets: one with a correct ACK number and another with a wrong number. The system determines whether the source is spoofed based on the client’s response. If the client’s response indicates that the source is not spoofed, FortiDDoS allows the connection and adds the source to the legitimate IP address table. Fortinet recommends this option if you have enough bandwidth in the reverse direction of the attack. • SYN cookie—Sends a SYN/ACK with a cookie value in the TCP sequence field. If it receives an ACK back with the right cookie, an RST/ACK packet is sent and the IP address is added to the legitimate IP address table. If the client then retries, it succeeds in making a TCP connection. Fortinet recommends this option if you cannot use ACK Cookie and you anticipate high volume attacks. Fortinet recommends this option if you cannot use ACK Cookie and you anticipate high volume attacks. • SYN retransmission—Drops the initial SYNs to force the client to send a SYN again. If the expected number of retransmitted SYNs arrive within the predetermined time period, the system considers the source to be legitimate. FortiDDoS then allows the connection to go through and adds the source to the legitimate IP address table. Fortinet recommends this option if you cannot use ACK Cookie and you anticipate low volume attacks. |
Adaptive Mode | |
Adaptive mode | • Fixed—Does not use the adaptive limit. The configured minimum thresholds are the maximum limits. • Adaptive—Uses the adaptive limit. The configured minimum thresholds multiplied by the adaptive limit are the maximum limits. |
Adaptive limit | A percentage of the configured minimum threshold that establishes the upper limit of the estimated threshold. The adaptive limit is an upper rate limit beyond which the system blocks all traffic. The valid range is 100% to 300%. For example, the default is 150%. The system uses the dynamic threshold estimation algorithm to raise the calculated threshold up to 150% of the value of the configured minimum threshold. Thus, if the inbound threshold for Protocol 17 (UDP) is 10,000, the threshold never falls below 10,000 and never exceeds 15,000. When the adaptive limit is 100, the system does not use dynamic threshold estimation to adjust thresholds. |
Multipliers | |
Source multiplier inbound / outbound | Applies the specified multiplier to the packet count for traffic with a source IP address that the system has identified as the source of a flood. In effect, the multiplier makes traffic from the source violate thresholds sooner. For example, if the most active source threshold is 100 packets per second, and the source multiplier is 4, an identified source attacker will violate the threshold if it sends 26 packets per second. Because incoming traffic is more likely to be the source of a threat, you can configure different multipliers for incoming and outgoing traffic. The default is 2. |
Layer 7 multiplier inbound / outbound | Applies the specified multiplier to the packet count for traffic that the system has detected is related to a Layer 7 flood. The system tracks HTTP headers (URL or Host, Referer, Cookie or User-Agent header) and associates traffic with matching headers with the attack. The default is 2. Note: When both Source flood and Layer 7 flood conditions are met, the packet count multipliers are compounded. For example, when there is a User Agent flood attack, a source is sending a User-Agent that is overloaded. If the Source multiplier is 4 and the Layer 7 multiplier is 64, the total multiplier that is applied to such traffic is 4 x 64 = 264. In effect, each time the source sends a Layer 7 packet with that particular User-Agent header, FortiDDoS considers each packet the equivalent of 256 packets. |
TCP State Anomaly Detection | |
TCP session feature control | Select one or more of the following options to detect TCP state anomalies: • seq-validation—The FortiDDoS TCP state machine ensures that TCP sequence numbers for the packets within a session are valid. • syn-validation—Required to support SYN Flood Mitigation. During a SYN flood, the TCP state machine allows only TCP SYNs from IP addresses in the legitimate IP address (LIP) table (sources that have done a three-way handshake in the past). SYNs from source IP addresses that do not have an entry in the LIP table must pass a SYN Flood Mitigation challenge to be added to the LIP table. If syn-validation is enabled and SYN Flood Mitigation is not enabled, then during a flood, packets from sources not in the legitimate IP address table are not given the opportunity to complete the antispoofing challenge. The packets will be dropped. • state-transition-anomalies-validation—The TCP state machine ensures that TCP state transitions follow the rules. For example, if an ACK packet is received when FortiDDoS has not observed a SYN/ACK packet, it is a state transition anomaly. • foreign-packet-validation—The TCP state machine drops TCP packets without an existing TCP connection and reports them as a foreign packet. In most cases, the foreign packet validation is useful for filtering out junk, but enabling it is not important. The number of foreign packets can be high, so the system does not store the source and destination of each packet. Therefore, you might not be able to determine the origin of a foreign packet. Foreign packet drops are logged in the DDoS Attack Log (State Anomalies event). The configuration also enables you to allow some TCP state sequences that the system would otherwise detect as a TCP state anomaly when seq-validation is enabled. Select the following options to enable them: • allow-tuple-reuse—Allow this exception to seq-validation (if enabled). Otherwise, seq-validation detects the anomaly and drops the packets. It logs the anomaly as a “State Anomalies: Outside window” event. When the “allow” option is enabled, the FortiDDoS TCP state machine updates the TCP entry when a tuple is reused. This update occurs only during the closed or close-wait, fin-wait, time-wait states, when the connection is just about to retire. Useful in testing environments where test equipment reuses tuples in rapid succession. Enabled by default. Recommended. • allow-duplicate-syn-in-syn-sent—Allow this exception to seq-validation (if enabled). Otherwise, seq-validation detects the anomaly and drops the packets. It logs the anomaly as a “State Anomalies: Outside window” event. When the “allow” option is enabled, the TCP state machine allows duplicate TCP SYN packets during the SYN-SENT state. It allows this type of packet even if the sequence numbers are different. Disabled by default. We suggest you enable this in Detection Mode. • allow-duplicate-syn-in-syn-recv—Allow this exception to seq-validation (if enabled). Otherwise, seq-validation detects the anomaly and drops the packets. It logs the anomaly as a “State Anomalies: Outside window” event. When the “allow” option is enabled, the TCP state machine allows duplicate TCP SYN packets during the SYN-RECV state. It allows this type of packet even if the sequence numbers are different. Disabled by default. Normally these violations are not expected in real-world traffic but might be seen in test environments. |
• allow-syn-anomaly, allow-syn-ack-anomaly, allow-ack-anomaly, allow-rst-anomaly, allow-fin-anomaly—Allow these exceptions to state-transition-anomalies-validation (if enabled). Otherwise, state-transition-anomalies-validation detects the anomaly and drops the packets. It logs the anomaly as a “State Anomalies: State transition error” event. When the “allow” options are enabled, the TCP state machine allows duplicate TCP packets during any other state even if the sequence numbers are different from the existing connection entry. This is equivalent to allowing the packet without updating an existing connection entry with the new information from the allowed packet. Disabled by default. Normally these violations are not expected in real-world traffic but might be seen in test environments. In most cases, these options should remain disabled to enforce TCP compliance. Tip: Shift-click to select multiple items. Note: Special guidelines apply to TCP session feature control when the system is deployed in Detection Mode or Asymmetric Mode. Make sure you understand the recommendations in the following sections: | |
Aggressive Aging | |
Aggressive aging TCP connections feature control | Select to enable aggressive aging options: • high-concurrent-connection-per-source—Sends a TCP RST to the server to reset idle connections from the identified source when the maximum is reached for the concurrent-connection-per-source threshold. • high-concurrent-connection-per-destination—Sends a TCP RST to the server to reset idle connections when the maximum is reached for the concurrent-connection-per-destination threshold. Enabled by default. • layer7-flood—Sends a TCP RST to the server to rest idle connections when a Layer 7 flood is detected. • track-slow-tcp-connections—Sends a TCP RST to the server to reset idle connections from the identified source when the slow connection attack thresholds set on the Global Settings > Settings page are reached. Tip: Shift-click to select multiple items. For more information, see “Aggressive aging”. |
Source blocking for slow connections | Enable to apply the “Blocking Period for Identified Sources” configured on the Global Settings > Settings page to the source IP address identified by the slow connection detection feature. If blocking is enabled, the event is logged a Source Flood and drops are reported on the Monitor > Flood Drops > Layer 3 page. Caution: Disabled by default. Do not enable if it is typical for the SPP to receive traffic with source IP addresses that are proxy IP addresses (for example, a CDN proxy like Akamai). You want to avoid blocking a proxy IP address because the block potentially affects many users that are legitimately using the same proxy IP address. |
To configure with the CLI, use a command sequence similar to the following: config spp edit <spp_name> config ddos spp setting set inbound-operating-mode {detection | prevention} set outbound-operating-mode {detection | prevention} set syn-flood-mitigation-direction {inbound | outbound} set syn-flood-mitigation-mode {syn-cookie | ack-cookie | syn-retransmission} set adaptive-mode adaptive set adaptive-limit <percent_int> set source-multiplier-inbound <integer> set source-multiplier-outbound <integer> set layer-7-multipler-inbound <integer> set layer-7-multipler-outbound <integer> set tcp-session-feature-control {sequence-validation syn-validation state-transition-anomalies-validation foreign-packet-validation allow-tuple-reuse allow-duplicate-syn-in-syn-sent allow-duplicate-syn-in-syn-recv allow-syn-anomaly allow-syn-ack-anomaly allow-ack-anomaly allow-rst-anomaly allow-fin-anomaly} set aggressive-aging-feature-control {layer7-flood high-concurrent-connection-per-source high-concurrent-connection-per-destination track-slow-tcp-connections} set source-blocking-for-slow-connections {enable|disable} end |