Whenever there is an attack, you should investigate until you fully understand why packets were dropped, and you know whether the attack event is a false positive.
A typical FortiDDoS attack investigation includes the following steps:
Most of the statistics graphs identify the SPP and the direction of the attack, so, if there is only one subnet in the attacked SPP, you can easily determine the attack destination.
If the SPP contains more than one subnet, you can use the following reports to determine the attack destination:
The following reports can be used to determine the attack source:
Note: DDoS attacks are often spoofed attacks. Source information is not provided as it is irrelevant.
The following reports can be used to determine the type of attack:
Table 14 describes DDoS attack types and identifies the FortiDDoS events to look for.
| Attack | Description | Threshold to monitor/adjust | Events to watch |
|---|---|---|---|
| SYN attack | A spike in packets on a specific TCP port. In most cases, the source address is spoofed. |
Layer 3 - TCP protocol (6)
Layer 4 - TCP ports on which the server is listening and ports that are allowed by the firewall and ACL Layer 4 - SYN Layer 4 - New connections |
Protocol 6 Flood
SYN Flood Zombie Flood Port Flood |
| Source flood | A single source sends excessive number of IP packets. | Layer 3 – Most active source | Source Flood |
| Zombie attack | A spike in TCP packets from legitimate IP addresses. |
Layer 3 – TCP protocol (6)
Layer 4 – TCP ports on which the server is listening and ports that are allowed by the firewall and ACL Layer 4 – SYN Layer 4 – Established connections per destination (estab-per-dst) Layer 4 - SYN per source (syn-per-src) Layer 4 - New connections |
Layer 3 Protocol 6 SYN Flood Zombie Flood Port Flood SYN Flood from Source |
| Fragment flood | An excessive number of fragmented packets. | Layer 3 – Fragmented packets | Fragment Flood |
| ICMP flood | An excessive number of ICMP packets. |
Layer 3 – ICMP protocol (1) Layer 4 – ICMP type and code combinations that are allowed by the firewall and ACL |
Protocol 1 Flood
Layer 4 ICMP Flood of a specific type and code |
| Smurf attack | Traffic that appears to originate from the target server’s own IP address or somewhere on its network. Targeted correctly, it can flood the network with pings and multiple responses. |
Layer 3 – ICMP protocol (1)
Layer 4 – ICMP type and codes combinations that are allowed by the firewall and ACL |
Protocol 1 Flood
ICMP Flood of Echo-Request/Response Type (Type= 0, Code = 0) |
| MyDoom attack | Excessive number of HTTP packets zombies. |
Layer 3 – TCP protocol (6)
Layer 4 – TCP port 80 Layer 4 – SYN Layer 4 – New connections Layer 4 – Established connections |
Protocol 6 Flood
SYN Flood
Zombie Flood Port Flood |
| HTTP GET attack | Excessive number of HTTP packets from zombies. |
Layer 3 – TCP protocol (6)
Layer 4 – TCP ports on which the server is listening and ports that are allowed by the firewall and ACL Layer 4 – SYN Layer 4 – New connections Layer 4 – Concurrent connections per source Layer 7 – HTTP Methods Layer 7 – URL |
Protocol 6 Flood
SYN Flood Zombie Flood Port Flood TCP Connection Flood HTTP Method Flood URL Flood |
| Slow connection attack | Legitimate IP sources send legitimate TCP connections but do it slowly and remain idle, which fills up the server’s connection table memory. |
Layer 3 – TCP protocol (6)
Layer 4 – TCP ports on which the server is listening and ports that are allowed by the firewall and ACL Layer 4 – SYN Layer 4 – New connections Layer 4 - Concurrent connections per source |
Layer 3 Protocol 6 SYN Flood Zombie Flood Port Flood Concurrent Connections/ Source |
| UDP flood attack | An excessive number of UDP packets. |
Layer 3 – UDP protocol (17)
Layer 4 – UDP ports on which the server is listening and ports which are allowed by the firewall and ACL |
Protocol 17 Flood
Port Flood |
| Slammer attack | An excessive number of packets on UDP Port 1434. |
Layer 3 – UDP protocol (17)
Layer 4 – UDP port 1434 |
Protocol 17 UDP Flood
Port Flood – 1434 |
| Fraggle attack | Spoofed UDP packets to a list of broadcast addresses. Usually the packets are directed to port 7 on the target machines, which is the echo port. Other times, it is directed to the CHARGEN port. Sometimes a hacker is able to set up a loop between the echo and CHARGEN port. |
Layer 3 – ICMP protocol (1)
Layer 3 – UDP protocol (17) Layer 4 – UDP echo port (7) Layer 4 – Daytime Protocol port (13) Layer 4 – Quote of the Day (QOTD) port (17) Layer 4 – UDP Character Generator protocol (CHARGEN) (19) Layer 4 – ICMP Type/Codes specific to host/port not available |
Protocol 1 Flood
Protocol 17 Flood UDP Port 7 Flood UDP Port 13 Flood UDP Port 17 Flood UDP Port 19 Flood ICMP Flood of Port Not Available Type, Code (3,3) ICMP Flood of Host Not Available Type, Code (3,1) |
| DNS Port Flood | An excessive number of packets on UDP port 53. |
Layer 3 - UDP protocol (17)
Layer 4 - UDP port 53 |
Protocol 17 UDP Flood
UDP Port 53 Flood ICMP Port/Host not available Flood |
| DNS Query Flood | A spike in DNS queries and occurrences of query data. | Layer 7 - DNS query-related thresholds | DNS Query Flood |
You can use the Monitor graphs to analyze the dimensions of the attack: increases in throughput and drops.
You can use the DDoS Attack log or the Monitor graphs to analyze aggregate throughput and drops due to Layer 3, Layer 4, and Layer 7 FortiDDoS rate thresholds or ACL rules.