The SPP Settings configuration includes key feature settings that might vary among SPPs.
Before you begin:
Note: FortiDDoS 600B and 900B do not support DNS ACLs, DNS anomaly detection, or DNS flood mitigation. |
Use this tab to configure:
The following table provides guidelines.
Settings | Guidelines |
---|---|
Operating Mode | |
Inbound operating mode | Set the mode for traffic received from WAN-side interfaces:
|
Outbound operating mode | Set the mode for traffic received from LAN-side interfaces:
|
SYN Flood Mitigation Mode | |
SYN flood mitigation direction |
Enable/disable the feature for one or both traffic directions. Note: If you do not enable SYN flood mitigation, and the TCP session feature control SYN Validation option is enabled, then during a flood, packets from sources not in the legitimate IP address table are not given the opportunity to complete the antispoofing challenge. The packets will be dropped. |
SYN with payload direction |
Enable/disable the feature in one or both traffic directions. A SYN packet with payload is an anomaly that indicates an attack known as a Tsunami SYN Flood. We recommend you enable this feature for inbound traffic. The only reason to disable is if you are running tests with tools that generate SYN packets with payload. Drops due to this anomaly are logged as L4 Anomaly events and included in the Layer 4 Anomaly graphs. |
SYN flood mitigation mode |
|
Adaptive Mode | |
Adaptive mode |
|
Adaptive limit | A percentage of the configured minimum threshold that establishes the upper limit of the estimated threshold. The adaptive limit is an upper rate limit beyond which the system blocks all traffic. The valid range is 100% to 300%. For example, the default is 150%. The system uses the dynamic threshold estimation algorithm to raise the calculated threshold up to 150% of the value of the configured minimum threshold. Thus, if the inbound threshold for Protocol 17 (UDP) is 10,000, the threshold never falls below 10,000 and never exceeds 15,000. When the adaptive limit is 100, the system does not use dynamic threshold estimation to adjust thresholds. |
To configure with the CLI, use a command sequence similar to the following: config spp edit <spp_name> config ddos spp setting set inbound-operating-mode {detection|prevention} set outbound-operating-mode {detection|prevention} set syn-flood-mitigation-direction {inbound|outbound} set syn-flood-mitigation-mode {syn-cookie | ack-cookie | syn-retransmission} set syn-with-payload-direction {inbound|outbound} set adaptive-mode adaptive set adaptive-limit <percent_int> end end |
Use this tab to configure packet count multipliers for identified source attackers and Layer 7 HTTP and DNS attacks.
The following table provides guidelines.
Settings | Guidelines |
---|---|
Source multiplier inbound / outbound | Applies the specified multiplier to the packet count for traffic with a source IP address that the system has identified as the source of a flood. In effect, the multiplier makes traffic from the source violate thresholds sooner. The default is 2. For example, if the most active source threshold is 100 packets per second, and the source multiplier is 4, an identified source attacker will violate the threshold if it sends 26 packets per second. Because incoming traffic is more likely to be the source of a threat, you can configure different multipliers for incoming and outgoing traffic. |
Layer 7 multiplier inbound / outbound | Applies the specified multiplier to the packet count for traffic that the system has detected is related to a Layer 7 HTTP flood. The system tracks HTTP headers (URL or Host, Referer, Cookie or User-Agent header) and associates traffic with matching headers with the attack. The default is 2. Note: When both Source flood and Layer 7 flood conditions are met, the packet count multipliers are compounded. For example, when there is a User Agent flood attack, a source is sending a User-Agent that is overloaded. If the Source multiplier is 4 and the Layer 7 multiplier is 64, the total multiplier that is applied to such traffic is 4 x 64 = 256. In effect, each time the source sends a Layer 7 packet with that particular User-Agent header, FortiDDoS considers each packet the equivalent of 256 packets. |
To configure with the CLI, use a command sequence similar to the following: config spp edit <spp_name> config ddos spp setting set source-multiplier-inbound <integer> set source-multiplier-outbound <integer> set layer-7-multiplier-inbound <integer> set layer-7-multiplier-outbound <integer> end end |
Use this tab to configure:
Table 35 provides summary guidelines.
Special guidelines apply to TCP session feature control when the system is deployed in Detection Mode or Asymmetric Mode. Make sure you understand the recommendations in Understanding FortiDDoS Detection Mode or Understanding FortiDDoS Asymmetric Mode. |
Settings | Guidelines |
---|---|
TCP session feature control |
Select one or more of the following options to detect TCP state anomalies:
Important: See TCP session state anomalies for recommended settings for Detection Mode, Prevention Mode, and Asymmetric Mode. |
The configuration also enables you to allow some TCP state sequences that the system would otherwise detect as a TCP state anomaly when the anomaly detection options are enabled. Select the following options to enable them:
|
|
Aggressive aging TCP connections feature control |
Select to enable aggressive aging options:
For more information, see Aggressive aging. |
Source blocking for slow connections | Enable/disable applying the source blocking when slow connection attacks are detected. |
To configure with the CLI, use a command sequence similar to the following: config spp edit <spp_name> config ddos spp setting set tcp-session-feature-control {sequence-validation syn-validation state-transition-anomalies-validation foreign-packet-validation allow-tuple-reuse allow-duplicate-syn-in-syn-sent allow-duplicate-syn-in-syn-recv allow-syn-anomaly allow-syn-ack-anomaly allow-ack-anomaly allow-rst-anomaly allow-fin-anomaly} set aggressive-aging-feature-control {layer7-flood high-concurrent-connection-per-source track-slow-tcp-connections} set source-blocking-for-slow-connections {enable|disable} end end |
Use this tab to configure DNS traffic anomaly detection. We recommend you enable all DNS anomaly detection options. The configuration is "open" for testing and troubleshooting purposes.
The following table describes the settings.
Settings | Guidelines |
---|---|
DNS header anomaly |
|
DNS query anomaly |
|
DNS response anomaly |
|
DNS buffer overflow anomaly |
|
DNS exploit anomaly |
|
DNS info anomaly |
|
DNS data anomaly |
|
To configure with the CLI, use a command sequence similar to the following: config spp edit <spp_name> config ddos spp setting set dns-anomaly-feature-control {premature-end-of-packet extraneous-data long-ttl qclass-in-reply qtype-in-reply class-not-in invalid-class-type type-all zone-transfer pointer-loop long-name-length long-label-length short-name-length qr-bit-set qr-bit-not-set null-query qd-count-not-one-in-response qd-count-not-one-in-query illegal-flag-combination ra-bit-set invalid-op-code empty-udp tcp-message-long udp-message-long sp-equals-dp tcp-buffer-underflow } end end |
Use this tab to configure DNS feature controls. We recommend you enable all mitigation features. The configuration is "open" for testing and troubleshooting purposes. For an overview of DNS features, see Understanding FortiDDoS DNS attack mitigation.
The following table provides guidelines.
Settings | Guidelines |
---|---|
Match responses with queries (DQRM) |
Enable/disable the DNS query response match (DQRM) table. |
Allow only valid queries under flood (LQ) |
Enable/disable the legitimate query (LQ) table. |
Validate TTL for queries from the same IP under flood |
Enable/disable the time-to-live (TTL) table. |
DNS UDP Anti-spoofing Method inbound/outbound |
Enable/disable anti-spoofing checks for inbound and outbound UDP DNS traffic. |
DNS flood mitigation mode inbound/outbound |
Specify the antispoofing method if the source IP address is not already in the legitimate IP table (LIP):
|
Generate response from cache under flood |
Enable/disable DNS caching. |
Force TCP or forward to server when no cache response available |
If DNS caching is enabled, one of the following behaviors must be configured:
|
Duplicate query check before response | Enable/disable checks for repeated queries from the same source. If enabled, under non-flood conditions, the system checks and drops repeated UDP/TCP queries from the same source if it sends them at a rate greater than 3 per second. Under flood conditions, the duplicate query check is done for TCP and not for UDP. |
Block identified sources |
Enable/disable source IP address blocking periods for violators of any DNS-protection feature (ACL, anomalies, or flood meters). Disabled by default. DNS floods are often spoofed, so we do not recommend blocking an identified source to avoid punishing legitimate clients. Instead, we recommend you rely on the other DNS protection methods. They make packet-by-packet determinations, and are not prone to false positives. The configuration is open, allowing you to enable source blocking if you want to experiment with it in your network. If enabled, when a threshold is reached, packets are dropped and the identified sources are subject to the Blocking Period for Identified Sources configured on the Global Settings > Settings page. When disabled, DNS per-source thresholds (dns-query-per-source and dns-packet-track-per-source) are not tracked and the following graohs will not be updated:
|
Restrict DNS Queries to Specific Subnets |
Enable/disable restriction to DNS queries from unwanted sources from the Internet. This feature allows service providers to protect their recursive or open DNS resolvers. In a typical deployment, the service provider will keep their open resolvers on the LAN or the protected side and their own customers will be on the Internet side. On the Internet side, there will also be the authoritative servers, and rogue DNS clients who send unwanted DNS query floods. To ensure that the DNS queries are only allowed from the service provider’s customers, the service provider must add those subnets into the Restricted Subnets list. By restricting the DNS queries to specific subnets, the service provider can avoid responding to unwanted queries and thus protecting DNS infrastructure from getting overloaded. |
To configure with the CLI, use a command sequence similar to the following: config spp edit <spp_name> config ddos spp setting set dns-authentication-direction {inboud|outbound} set dns-flood-mitigation-mode-inbound {TC-equal-one|dns-retransmission} set dns-flood-mitigation-mode-outbound {TC-equal-one|dns-retransmission} set match-response-with-queries {enable|disable} set validate-ttl-for-queries-from-the-same-ip {enable|disable} set generate-response-from-cache-under-flood {enable|disable} set allow-only-valid-queries-under-flood {enable|disable} set source-blocking-in-dns {enable|disable} set duplicate-query-check {enable|disable} set force-tcp-or-forward-to-server {force-tcp|forward-to-server} set restrict-dns-queries-to-specific-subnets {enable/disable} end end |