Settings | Guidelines | |||
Link Down Synchronization | • Wire—If one link in a peer port pair goes down, take down the other link, synchronizing the link state. When the down link becomes available, both links are brought up. • Hub—Do not synchronize the link state. Note: The system is restarted when you change this setting. | |||
Power Failure Bypass Mode | • Fail Open—Default. Use to enable built-in bypass. The interfaces form a wire and pass traffic through without performing any monitoring or prevention tasks. • Fail Closed—Use with an external bypass unit or for the primary node in an HA active-passive deployment. Interfaces do not pass traffic. The external bypass system can detect the outage and forward traffic around the FortiDDoS. Applicable only for FortiDDoS models with copper ports or fixed LC connectors. For more information, see “Built-in bypass”. | |||
Blocking Periods | ||||
Blocking Period for All Attacks | How long to block traffic from any source when a rate flood event has been triggered. The default is 15 seconds. The valid range is 1 to 15. When the blocking period is over, the rate threshold is checked again. For example, if the value is 15, when the system detects a flood, it blocks the packets associated with that flood for 15 seconds. If the traffic still qualifies as an attack after the blocking period expires, it blocks the traffic for another 15 seconds, and so on. For more information about blocking periods, see “Blocking” and “Reducing false positives”. | |||
Blocking Period for Identified Sources | How long to block all traffic from the source IP address that triggered a rate flood event or slow connection attack. The default is 60 seconds. The valid range is 1 to 65,535. When a rate flood event is triggered, the system multiplies the packet rate from the source of the blocked packets by the value of the source multiplier. If the calculated rate exceeds the value of the most-active-source threshold, the system identifies the IP address of the source as a source attacker. This blocking period setting is also the blocking period for identified sources of slow connection attacks. Note, however, that the source multiplier and most-active-source threshold are not applicable to slow connection attack prevention. | |||
Extended Blocking Period for Identified Sources | How long to block all traffic from a source IP address associated with an attack resulting in the number of dropped packets specified in the next setting. The default is 60 seconds. The valid range is 1 to 65,535. Additional blocking period when the attack results in packet drops that exceed your specified threshold. | |||
Drop Threshold to Extend Blocking Period for Identified Sources | Number of dropped packets that trigger the extended blocking period. The default is 5,000 dropped packets. | |||
HTTP Anomaly Responses | ||||
HTTP Anomaly | Select one or more of the following HTTP anomaly responses: • known-opcode-anomaly—Reserved for future use. • unknown-opcode-anomaly—Drop HTTP traffic that uses a method other than one of the following: GET, HEAD, OPTIONS, PUT, POST, CONNECT, DELETE, or TRACE. For example, TEST or PROPFIND. Generates the attack log message ‘Unknown HTTP Anomaly’. • invalid-opcode-anomaly—Drop HTTP traffic with an HTTP version other than one of the following: 0.9, 1.0, or 1.1. Generates the attack log message ‘Invalid HTTP Version Anomaly’. • http-version-0-9—Allow HTTP version 0.9 traffic. By default, it is dropped. Tip: Shift-click to select multiple items. For more information about protocol anomalies, see “Understanding FortiDDoS protocol anomaly protection”. | |||
Drop HTTP Range Header | Enable to drop sessions when the HTTP request includes the HTTP Range header. The Range header can be abused by attackers to exhaust HTTP server resources. Disabled by default. Enable this feature if you know that your protected HTTP servers do not use the Range header, or when your protected network is being attacked with methods that exploit HTTP Range header behavior. | |||
IPv6 Addresses | ||||
IPv6 Prefix Length | Number of bits that make up the IPv6 prefix in your address range. The prefix is the fixed portion of the IPv6 address in your address range. FortiDDoS uses the 32-bit portion of the address the follows the fixed portion to assign traffic to profiles. The configuration has the following options: • 32—A prefix length of 32 means FortiDDoS will match bits 33-64 to the IP addresses specified in SPP policy rules. • 64—A prefix length of 64 means FortiDDoS will match bits 65-96 to the IP addresses specified in SPP policy rules. • 96—A prefix length of 96 means FortiDDoS will match bits 97-128 to the IP addresses specified in SPP policy rules. Select the shortest length that is large enough to include your prefix length. For example, if your address range has a 48 bit prefix, select 64. In the next box (IPv6 Prefix), type only the 48-bit prefix. In this example, the FortiDDoS system will match bits 65-96 to the IP addresses specified in SPP policy rules. | |||
IPv6 Prefix | Specify the IPv6 prefix (not including mask). The IPv6 Prefix should be less than or equal to the IPv6 Prefix Length. For example 2001:DB8:12AB:: is a 48 bit prefix, so the IPv6 Prefix Length is 64 and the IPv6 Prefix is 2001:DB8:12AB::. The FortiDDoS system uses the first 64 bits of the prefix you specify to define the address it uses in traffic generated by the system, for example, the SYN and ACK cookies used for SYN flood mitigation, and the RST and ACK packets used for aggressive aging. It also uses the prefix in diagnostic traffic. Note: The IPv6 prefix specified in SPP policy rules must match the prefix configured here. If you change the settings here, you must delete the SPP policies that have IPv6 addresses and recreate them to correspond to the new prefix values. | |||
Geolocation ACL | ||||
Geolocation Policy | The geolocation policy feature enables you to block traffic from the countries you specify, as well as anonymous proxies and satellite providers, whose geolocation is unknown. Select one of the following options to determine how geolocation rules in the Global ACL can be configured: • Allow all and deny some—You use the Global ACL rulebase to deny specified countries, anonymous proxies, and satellite providers. • Deny all and allow some—You use the Global ACL rulebase to allow specified countries, anonymous proxies, and satellite providers. Rules are based on the configured Geolcation address objects. See “Configuring Geolocation addresses”. | |||
Anti-spoofing Rules | ||||
Local Address Anti-spoofing | These rules can be used to prevent attacks that spoof your internal addresses. Enable one or more antispoofing rules that consult the local address configuration: • Inbound source must not be local address—Blocks inbound packets that have a source address inside the network. The source address is definitely spoofed. • Inbound destination must be local address—Blocks inbound packets that do not have a destination in your network. The destination address is illegitimate. • Outbound source must be local address—Blocks outbound packets with a spoofed address. Reduces the risk of your network being used in spoof attacks. • Outbound destination must not be local-address—Blocks outbound packets with a destination inside your local network. Rules are based on the addresses you add to the Local address configuration. See “Configuring Local addresses”. | |||
Asymmetric Mode | ||||
Asymmetric Mode | Enable when deployed in a network segment where traffic can take asymmetric routes. Special considerations and configuration changes are required. See “Understanding FortiDDoS Asymmetric Mode”. This option is not enabled by default. | |||
Allow inbound SYN/ACK | Enable only when you enable Asymmetric Mode. When there is asymmetric traffic, the system might receive inbound SYN/ACK packets. When this option is enabled, these packets are treated as if there is a valid connection on which to accept data (if the connection does not already exist). | |||
Tap Mode | ||||
Tap Mode | Enable when deployed out-of-path in conjunction with a FortiBridge or FortiTap appliance. Special considerations and configuration changes are required. See “Tap Mode deployments”. This option is not enabled by default. | |||
Slow Connection Detection | ||||
Source MAC Address for Aggressive Aging | MAC address used to send TCP resets to the protected server when aggressive aging is triggered. By default, the system uses the MAC address of the management interface (mgmt1), but the MAC address displayed in the web UI is 00:00:00:00:00:00. If you change this setting, the system uses the MAC address you specify. | |||
Slow connection type | Select one of the following options: • None: Do not monitor for slow connection attacks. • Moderate: Uses predefined thresholds to detect slow connection attacks. • Aggressive: Uses more aggressive (lower) thresholds to detect slow connection attacks. • User-defined: Enables advanced users to specify custom thresholds to detect slow connection attacks. Note: To avoid false positives, Fortinet recommends you initially set the option to moderate and switch to aggressive only if required. When the User-defined option is selected, the defaults are the maximum values, so we recommend you use the predefined Moderate and Aggressive values as guidelines to help you specify your own settings. | |||
Setting | Range | Moderate | Aggressive | |
HTTP partial request per source threshold (count) | 1 to 65,535 | 100 | 20 | |
HTTP partial request to response observation period (seconds) | 0 to 1,023 | 120 | 5 | |
Slow TCP connection byte threshold (bytes) | 1 to 65,535 | 512 | 2048 | |
Slow TCP connection observation period (seconds) | 15 to 480 | 30 | 15 | |
For more information about slow connection detection, see “Slow connection attacks”. | ||||
To configure with the CLI, use a command sequence similar to the following: config ddos global setting set link-down-synchronization {wire|hub} set power-fail-bypass-mode {fail-open|fail-closed} set blocking-period <int> set source-blocking-period <int> set extended-blocking-period <int> set drop-threshold-within-blocking-period <int> set http-anomaly {http-version-0-9 invalid-op-code-anomaly known-opcode-anomaly unknown-opcode-anomaly} set drop-http-header-range {enable|disable} set ip-v6-prefix-length {32|64|96} set ip-v6-prefix <ip_prefix> set geolocation {deny-all-allow-some|allow-all-deny-some} set local-address-anti-spoofing {inbound-source-must-not-be-local-address inbound-destination-must-be-local-address outbound-source-must-be-local-address outbound-destination-must-not-be-local-address} set asymmetric-mode {enable|disable} set asymmetric-mode-allow-inbound-synack {enable|disable} set tap-mode {enable|disable} set slow-connection-type {aggressive|moderate|none|user-defined} set source-mac-address-aggressive-aging <address> end |