Understanding FortiDDoS Detection Mode
In Detection Mode, FortiDDoS logs events and builds traffic statistics for SPPs, but it does not take actions: it does not drop or block traffic, and it does not aggressively age connections. Packets are passed through the system to and from protected subnets. Any logs and reports that show drop or blocking activity are actually simulations of drop or block actions the system would have taken if it were deployed in Prevention Mode.
When you get started with FortiDDoS, you deploy it in Detection Mode for 2-14 days so that the FortiDDoS system can learn the baseline of normal inbound and outbound traffic. The length of the initial learning period depends upon the seasonality of traffic (its predictable or expected variations) and how representative of normal traffic conditions the learning period is. Ensure that there are no attacks during the initial learning period and that it is long enough to be a representative period of activity. If activity is heavier in one part of the week than another, ensure that your initial learning period includes periods of both high and low activity. Weekends alone are an insufficient learning period for businesses that have substantially different traffic during the week. Thus, it is better to start the learning period on a weekday. In most cases, 7 days is sufficient to capture the weekly seasonality in traffic.
At the end of the initial learning period, you can adopt system-recommended thresholds (usually lower than the factory default) and continue to use Detection Mode to review logs for false positives and false negatives. As needed, you repeat the tuning: adjust thresholds and monitor the results.
When you are satisfied with the system settings, change to Prevention Mode. In Prevention Mode, the appliance drops packets and blocks sources that violate ACL rules and DDoS attack detection thresholds.
Note: In Detection Mode, the FortiDDoS system forwards all packets, but a simulated drop might be recorded. TCP session control options depend on the true TCP state, and simulated drops when the appliance is in Detection Mode can lead to unexpected results. For example, if the system records a (simulated) drop for a TCP connection, when subsequent packets arrive for the connection, the system treats them as foreign packets because the state table entry indicates the session has already been closed.
Table 7 summarizes our guidelines for SYN flood mitigation and TCP session state settings in Detection Mode.
Table 7: SYN flood mitigation and TCP state anomaly detection settings
Settings | Guidelines |
Global Settings > Settings |
SYN Flood Mitigation | The SYN flood mitigation mode settings are not applicable and disregarded. In Detection Mode, the FortiDDoS system does not drop packets, so it cannot test the legitimacy of source IP addresses. |
Protection Profiles > SPP Settings > TCP session feature control |
syn-validation | Do not enable. This option enables SYN flood mitigation mode, which is not applicable in Detection Mode. |
seq-validation | Do not enable. Simulated “drops” in Detection Mode lead to incorrect window validations for subsequent session packets. |
state-transition-anomalies-validation | Do not enable. Simulated “drops” in Detection Mode lead to faulty tracking of session state. |
foreign-packet-validation | Do not enable. Simulated “drops” in Detection Mode lead to unexpected foreign packet violations. |
allow-tuple-reuse | Exception to the rule. Enabled by default to support standard test environments that reuse tuples in quick succession. The setting is valid in Detection Mode. Recommended to avoid unnecessary logging of the event when it is detected. |
allow-duplicate-syn-in-syn-sent | Exception to the rule. Not enabled by default, but the setting is valid in Detection Mode. Recommended to avoid unnecessary logging. |
allow-duplicate-syn-in-syn-recv allow-syn-anomaly allow-syn-ack-anomaly allow-ack-anomaly allow-rst-anomaly allow-fin-anomaly | Do not enable. |
Table 8 summarizes expected behavior for slow connection detection and aggressive aging settings.
Table 8: Slow connection detection and aggressive aging settings
Settings | Guidelines |
Global Settings > Settings |
Slow TCP Connection and Partial HTTP request thresholds, observation periods, and blocking periods | In Detection Mode, slow connection detection and aggressive aging are automatically disabled. |
Protection Profiles > SPP Settings > Aggressive Aging TCP connection feature control |
high-concurrent-connection-per-source high-concurrent-connection-per-destination layer7-flood track-slow-tcp-connections | In Detection Mode, slow connection detection is disabled, so the track-slow-tcp-connections setting is ignored. The concurrent connection per source, concurrent connection per destination, and Layer 7 floods are detected and reported as expected. However, in Detection Mode, no TCP RST packet is sent, so there is no additional value when the aggressive aging action for these counters is enabled. If enabled, these settings have no effect. |