Protection Profiles : Managing thresholds : Modifying threshold settings
 
Modifying threshold settings
You use the Protection Profiles > Thresholds > Thresholds page to review system recommended thresholds and to make manual adjustments as you fine tune the configuration.
One of the key features of the FortiDDoS solution is the availability of system recommended thresholds that are adapted automatically according to statistical trends and tested heuristics. We recommend that in most cases, you should rely on the system intelligence. In some cases, such as demonstration, test, and troubleshooting situations, you might want to specify user-defined values for one or more thresholds. The threshold configuration is open, and can be updated manually.
Before you begin:
You must have an expert understanding of packet rates and other Layer 3, Layer 4, and Layer 7 parameters that you want to set manually. Refer to “Understanding FortiDDoS rate limiting thresholds”.
You must have Read-Write permission for Protection Profile settings.
To configure threshold settings:
1. Go to Protection Profiles > Thresholds > Thresholds.
2. Select the SPP you want to configure from the drop-down list.
3. Select the type of statistics from the drop-down list.
4. Double-click the row for the threshold you want to edit or click Add to create a new entry.
5. Use the configuration editor to set thresholds for inbound and outbound traffic for the settings described in Table 30.
6. Save the configuration.
 
Table 30: Threshold settings configuration
Settings
Guidelines
Graphs
Scalars
 
syn
Packet/second rate of SYN packets received.
Threshold for a SYN Flood event. When total SYNs to the SPP exceeds the threshold, the SYN flood mitigation mode tests are applied to all new connection requests from IP addresses that are not already in the legitimate IP address table.
Layer 4
new-connections
Connection/second rate of new connections.
Threshold for zombie floods (when attackers hijack legitimate IP addresses to launch DDoS attacks). When it detects a zombie flood, FortiDDoS blocks all new connection requests for the configured blocking period.
In order to be effective, the new-connections threshold should always be higher than the syn threshold. We recommend that you use the FortiDDoS generated threshold unless you have a specific reason to change it.
Layer 4
syn-per-src
Packet/second rate of SYN packets from any one source. No single source in an SPP is allowed to exceed this threshold.
Threshold for a SYN Flood From Source event.
The system applies the blocking period for identified sources.
Layer 4
most-active-source
Packet/second rate for the most active source. A source that sends packets at a rate that surpasses this threshold is considered a threat.
Threshold for a source flood. No single source in an SPP is allowed to exceed this threshold, and the system applies the blocking period for identified sources.
Layer 3
concurrent-connections-per-source
Count of TCP connections from a single source.
The TCP connection counter is incremented when a connection moves to the established state and decremented when a sessions is timed out or closes.
This threshold is used to identify suspicious source IP behavior. An inordinate number of connections is a symptom of both slow and fast TCP connection attacks.
The system applies the blocking period for identified sources. If the aggressive aging high-concurrent-connection-per-source option is enabled, the system also sends a TCP RST to the server to reset the connection.
Layer 4
syn-per-dst
Packet/second rate for SYN packets to a single destination.
When the per-destination limits are exceeded for a particular destination, the SYN flood mitigation mode tests are applied to all new connection requests to that particular destination. Traffic to other destinations is not subject to the tests.
The system applies the blocking period for identified sources.
Layer 4
most-active-destination
Packet/second rate for the most active destination. A destination that is sent packets at this rate is considered under attack.
Threshold for a destination flood.
Layer 3
concurrent-connections-per-destination
Count of TCP connections to a single destination.
The TCP connection counter is incremented when a connection moves to the established state and decremented when a sessions is timed out or closes.
This threshold is used to identify abnormal traffic to specific destinations. An inordinate number of connections is a symptom of both slow and fast TCP connection attacks.
The system applies the blocking period for identified sources. If the aggressive aging high-concurrent-connection-per-destination option is enabled, the system also sends a TCP RST to the server to reset the connection.
Layer 4
ack-per-dst
Packet/second rate for ACK packets to a single destination.
This threshold is a rate limit only: the system drops packets when the maximum rate is reached, but it does not apply a blocking period.
Layer 4
fin-per-dst
Packet/second rate for FIN packets to a single destination.
This threshold is a rate limit only: the system drops packets when the maximum rate is reached, but it does not apply a blocking period.
Layer 4
rst-per-dst
Packet/second rate for RST packets to a single destination.
This threshold is a rate limit only: the system drops packets when the maximum rate is reached, but it does not apply a blocking period.
Layer 4
estab-per-dst
Count of established TCP connections for a single destination during a SYN flood to that destination.
This threshold is a rate limit only: the system drops packets when the maximum rate is reached, but it does not apply a blocking period.
Layer 4
fragment
Packet/second rate of fragmented packets received.
Although the IP specification allows IP fragmentation, excessive fragmented packets can cause some systems to hang or crash.
Layer 3
HTTP Methods
 
HTTP/1.1 uses the following set of common methods:
GET
HEAD
OPTIONS
TRACE
POST
PUT
DELETE
CONNECT
Packet/second rate for the specified HTTP method.
Threshold for an HTTP method flood attack.
When the maximum rate is reached, the system drops packets matching the parameter. If the aggressive aging layer7-flood option is enabled, the system also sends a TCP RST to the server to reset the connection.
Layer 7
Protocols
 
Protocol Start / End
Packet/second rate for the specified protocol.
When you specify a threshold for protocols, enter a range, even if you are specifying a threshold for a single protocol. For example, to set a threshold for protocol 6, enter 6 for both Protocol Start and Protocol End.
Layer 3, Specific
TCP Ports
 
Port Start / End
Packet/second rate for the specified TCP service port. This is helpful to prevent floods against a specific application such as HTML, FTP, SMTP or SQL. TCP accommodates 64K (65,536) ports, most of which may never be used by a particular server. Conversely, a server might see most or all of its traffic on a small group of TCP ports. For this reason, globally assigning a single threshold to all ports generally does not provide useful protection. However, you can globally set a (usually low) TCP Port Threshold for all TCP ports and then manually configure a higher threshold for the ports your protected network is using.
When you specify a threshold for ports, you enter a port range, even if you are specifying a threshold for a single port. For example, to set a threshold for port 8080, enter 8080 for both Port Start and Port End.
Layer 4, Specific
UDP Ports
 
Port Start / End
Packet/second rate for the specified UDP service port. When you specify a threshold for ports, you enter a port range, even if you are specifying a threshold for a single port. For example, to set a threshold for port 53, enter 53 for both Port Start and Port End.
Ports 0-1023 are assigned by IANA to well known services. For example, UDP port 53 is assigned to DNS. When you configure threshold rules for well known UDP services in the 0-1023 range, configure rules for the IANA-assigned port. You do not configure rules for the associated, unassigned ports used by the client (these are numbered above 1023). For example, for DNS, configure an inbound rule for port 53 and outbound rule for port 53. FortiDDoS identifies the DNS service if either source or destination port is the well known service port.
The inbound and outbound packet counters are incremented when traffic for the service is identified (by either source or destination port). Think of it as a service rate limit rather than a port rate limit.
For more information, see “How does FortiDDoS identify UDP services?”.
Layer 4, Specific
ICMP Types/Codes
 
ICMP Type/Code Start/End
Packet/second rate for the specified ICMP type/code. The ICMP header includes an 8-bit type field, followed by an 8-bit code field. The value of this field can be read as a hexadecimal number.
A popular use for ICMP is the “Echo groping” message (type 8) and its corresponding reply (type 0), which are often useful tools to test connectivity and response time. In some cases, this message and reply can also be used as an attack weapon to effectively disable a target system’s network software. Take care when you set the ICMP type 0 and type 8 thresholds to ensure the desired functionality is preserved.
Layer 4, Specific
HTTP
 
URL
Packet/second rate for packets with the specified URL match.
When the maximum rate is reached, the system drops packets matching the parameter. If the aggressive aging layer7-flood option is enabled, the system also sends a TCP RST to the server to reset the connection.
Specify the URL for a specific website. Botnets make it easy to launch attacks on specific URLs. When such an attack happens, FortiDDoS can isolate the URL and limit just the traffic that is associated with it, while all other traffic is unaffected. The URL is found in the website’s HTTP GET or POST operations. For example, the URL for http://www.website.com/index.html is /index.html.
When you specify a threshold for a URL, the system generates a corresponding hash index value. FortiDDoS displays the hash index value in the list of URL thresholds. Make note of it. You use the hash value to select this URL elsewhere in the web UI. To view statistics associated with the threshold, go to Monitor > Layer 7 > URLs, and then, for Please enter URL/Hash index, enter either the original URL you specified or the hash index value.
You can use the special prefix sys_reco_v to create hash index ranges that aggregate URLs that you are interested in only as an aggregate. For example, assume your team wants to pay close attention to a five websites, and all others can be treated essentially the same. With the first five, your configuration is specific, so you know the website URL and the corresponding hash index, and you can use FortiDDoS to track it specifically. The system does not track the others with specificity, but you can track, as an aggregate, whether those sites experience rising and falling rates, including attacks.
1. Create entries for the five priority websites and note their hash index numbers. Let’s assume the hash index numbers are 1, 20, 21, 39, 40.
2. Create ranges to aggregate the gaps:
a. The first gap is from 2-19, so you create a configuration named sys_reco_v2_19. This includes hash numbers 2 through 19.
b. The second gap is from 22-38, so you create a configuration named sys_reco_v22_38.
c. The next gap is from 41 to the end of the range, so you create a configuration named sys_reco_v41_8192.
Note: You cannot carve out a small block out of a large block. If you want to use hash index values that are already in use, you must delete the existing range and then create two ranges.
The valid range of hash index values for URLs is 0-32k per SPP.
Specific
Host, Referer, Cookie, User-Agent headers
Packet/second rate for packets with the specified header matches.
When the maximum rate is reached, the system drops packets matching the parameter. If the aggressive aging layer7-flood option is enabled, the system also sends a TCP RST to the server to reset idle connections. A connection is deemed idle if it has not sent traffic in the last 2 minutes.
Specify HTTP header values. With the advent of botnets, it is easy to launch attacks using scripts. Most of the scripts use the same code. The chances that they all use the same Host, Referer, Cookie, or User-Agent header fields is very high. When such an attack happens, FortiDDoS can easily isolate the four headers among many and limit traffic associated with that specific header, while all other traffic is unaffected.
As with URL hash indexes, you can use the sys_reco_v prefix to define hash index ranges that aggregate header values you are not specifically interested in.
The valid range of hash index values is 0-511 for each setting for each SPP: Host, Referer, Cookie, User-Agent.
Specific
 
 
To configure with the CLI, use a command sequence similar to the following:
config spp
edit <spp_name>
config ddos spp scalar-threshold
edit <threshold_name>
set type {syn |syn-per-src | most-active-source | concurrent-connections-per-source|most-active-destination| fragment|new-connections|syn-per-dst|ack-per-dst|rst-per-dst|fin-per-dst|estab-per-dst}
set inbound-threshold <integer>
set outbound-threshold <integer>
end
config ddos spp protocol-threshold
edit <threshold_name>
set protocol-start <protocol_int>
set protocol-end <protocol_int>
set inbound-threshold <integer>
set outbound-threshold <integer>
end
config ddos spp {tcp-port-threshold | udp-port-threshold}
edit <threshold_name>
set port-start <port_int>
set port-end <port_int>
set inbound-threshold <integer>
set outbound-threshold <integer>
end
config ddos spp icmp-type-code-threshold
edit <threshold_name>
set icmp-type-code-start <type_code_int>
set icmp-type-code-end <type_code_int>
set inbound-threshold <integer>
set outbound-threshold <integer>
end
config ddos spp http-method-threshold
edit <threshold_name>
set method {get|head|options|trace|post|put|delete|connect}
set inbound-threshold <integer>
set outbound-threshold <integer>
end
config ddos spp {http-url-threshold | http-host-threshold | http-referer-threshold | http-cookie-threshold | http-user-agent-threshold}
edit <threshold_name>
set {url | host | referer | cookie | user-agent} <string>
set inbound-threshold <integer>
set outbound-threshold <integer>
end