Key Concepts : A typical workflow for investigating FortiDDoS attack events
 
A typical workflow for investigating FortiDDoS attack events
Whenever there is an attack, you should investigate until you fully understand why packets were dropped, and you know whether the attack event is a false positive.
A typical FortiDDoS attack investigation includes the following steps:
1. Identify the destination and source.
2. Identify the type of attack.
3. Identify the attack size.
4. Analyze Layer 3, Layer 4, and Layer 7 parameters to understand the attack method.
Step 1: Identifying the destination and source
Most of the statistics graphs identify the SPP and the direction of the attack, so, if there is only one subnet in the attacked SPP, you can easily determine the attack destination.
If the SPP contains more than one subnet, you can use the following reports to determine the attack destination:
Execute Summary report
Attack Graph Dashboard
DDoS Attack Logs
The following reports can be used to determine the attack source:
Executive Summary report
Attack Graphs dashboard
DDoS Attack Logs
Note: DDoS attacks are often spoofed attacks. Source information is not provided as it is irrelevant.
Step 2: Identifying the type of attack
The following reports can be used to determine the type of attack:
Executive Summary report
Attack Graphs dashboard
DDoS Attack Logs
Table 12 describes DDoS attack types and identifies the FortiDDoS events to look for.
Table 12: Types of attacks
Attack
Description
Threshold to monitor/adjust
Events to watch
SYN attack
An excessive number of packets on a specific TCP port. In most cases, the source address is spoofed.
Layer 3 - TCP protocol (6)
Layer 4 - TCP ports on which the server is listening and ports that are allowed by the firewall and ACL
Layer 4 - SYN
Protocol 6 Flood
SYN Flood
Zombie Flood
Port Flood
UDP flood attack
An excessive number of UDP packets.
Layer 3 – UDP protocol (17)
Layer 4 – UDP ports on which the server is listening and ports which are allowed by the firewall and ACL
Protocol 17 Flood
Port Flood
ICMP flood
An excessive number of ICMP packets.
Layer 3 – ICMP protocol (1)
Layer 4 – ICMP type and code combinations that are allowed by the firewall and ACL
Protocol 1 Flood
Layer 4 ICMP Flood of a specific type and code
Fragment flood
An excessive number of fragmented packets.
Layer 3 – Fragmented packets
Fragment Flood
Source flood
A single source sends excessive number of IP packets.
Layer 3 – Most active source
Source Flood
Zombie attack
Too many legitimate IP sources send legitimate TCP packets.
Layer 3 – TCP protocol (6)
Layer 4 – TCP ports on which the server is listening and ports that are allowed by the firewall and ACL
Layer 4 – SYN
Layer 4 – Established connections per destination (estab-per-dst)
Layer 4 - SYN per source (syn-per-src)
Layer 3 Protocol 6
SYN Flood
Zombie Flood
Port Flood
SYN Flood from Source
Slow connection buildup
Legitimate IP sources send legitimate TCP connections but do it slowly and remain idle, which fills up the server’s connection table memory.
Layer 3 – TCP protocol (6)
Layer 4 – TCP ports on which the server is listening and ports that are allowed by the firewall and ACL
Layer 4 – SYN
Layer 4 – New connections
Layer 4 - Concurrent connections per source
Layer 4 - Concurrent connections per destination
Layer 3 Protocol 6
SYN Flood
Zombie Flood
Port Flood
Excess Concurrent Connections/
Source
Excess Concurrent Connections/
Destination
Slammer attack
An excessive number of packets on UDP Port 1434.
Layer 3 – UDP protocol (17)
Layer 4 – UDP port 1434
Protocol 17 UDP Flood
Port Flood – 1434
DNS attack
An excessive number of packets on UDP port 53.
Layer 3 - UDP protocol (17)
Layer 4- UDP port 53
Protocol 17 UDP Flood
UDP Port 53 Flood
ICMP Port/Host not available Flood
MyDoom attack
Excessive number of packets on HTTP from zombies.
Layer 3 – TCP protocol (6)
Layer 4 – TCP port 80
Layer 4 – SYN
Layer 4 – New connections
Layer 4 – Established Connections
Protocol 6 Flood
SYN Flood
Zombie Flood
Port Flood
Smurf attack
Traffic that appears to originate from the target server’s own IP address or somewhere on its network. Targeted correctly, it can flood the network with pings and multiple responses.
Layer 3 – ICMP protocol (1)
Layer 4 – ICMP type and codes combinations that are allowed by the firewall and ACL
Protocol 1 Flood
ICMP Flood of Echo-Request/
Response Type (Type= 0, Code = 0)
Fraggle attack
Spoofed UDP packets to a list of broadcast addresses. Usually the packets are directed to port 7 on the target machines, which is the echo port. Other times, it is directed to the Character Generator Protocol (CHARGEN) port. Sometimes a hacker is able to set up a loop between the echo and CHARGEN port. FortiDDoS has applicable thresholds for each SPP at Layer 3 and 4. A Layer 4 packet is, by definition, also a Layer 3 packet. However, blocked traffic is only displayed at the highest layer at which a threshold was violated. For example, FortiDDoS identifies a packet causing a TCP connection flood to be Layer 4 dropped traffic only, even though the corresponding Layer 3 envelope is also blocked.
Layer 3 – ICMP protocol (1)
Layer 3 – UDP protocol (17)
Layer 4 – UDP echo port (7)
Layer 4 – Daytime Protocol port (13)
Layer 4 – Quote of the Day (QOTD) port (17)
Layer 4 – UDP Character Generator protocol (CHARGEN) (19)
Layer 4 – ICMP Type/Codes specific to host/port not available
Protocol 1 Flood
Protocol 17 Flood
UDP Port 7 Flood
UDP Port 13 Flood
UDP Port 17 Flood
UDP Port 19 Flood
ICMP Flood of Port Not Available Type, Code (3,3)
ICMP Flood of Host Not Available Type, Code (3,1)
HTTP GET attack
Excessive number of packets on HTTP from zombies.
Layer 3 – TCP protocol (6)
Layer 4 – TCP ports on which the server is listening and ports that are allowed by the firewall and ACL
Layer 4 – SYN
Layer 4 – New Connections
Layer 4 - Concurrent connections per source
Layer 4 - Concurrent connections per destination
Layer 7- HTTP Methods
Layer 7 - URL
Protocol 6 Flood
SYN Flood
Zombie Flood
Port Flood
TCP Connection Flood
HTTP OpCode Flood (HTTP Method Flood)
URL Flood
Step 3: Identify the attack size
You can use the Monitor graphs to analyze the dimensions of the attack: increases in throughput and drops.
Step 4: Analyze attack parameters in each OSI layer
You can use the DDoS Attack log or the Monitor graphs to analyze aggregate throughput and drops due to Layer 3, Layer 4, and Layer 7 FortiDDoS rate thresholds or ACL rules.
1. Start using the following graphs to identify the layer at which the attack is happening:
Aggregate Flood Drops
Aggregate ACL Drops
Anomaly Drops statistics
2. Drill down further by accessing statistics specific to each layer and attack type.