Chapter 4: Service Protection Profiles (SPP) > Configuring SPP settings

Configuring SPP settings

The SPP Settings configuration includes key feature settings that might vary among SPPs.

Before you begin:

To configure SPP settings:
  1. Go to Protection Profiles > SPP Settings.
  2. Select the SPP you want to configure from the drop-down list.
  3. Click a tab to display its configuration page. Complete the configuration as described in the following sections:
  4. Save the configuration.
Note: FortiDDoS 600B and 900B do not support DNS ACLs, DNS anomaly detection, or DNS flood mitigation.

General tab

Use this tab to configure:

The following table provides guidelines.

 Table 35:   SPP configuration - General tab
Settings Guidelines
Operating Mode
Inbound operating mode Set the mode for traffic received from WAN-side interfaces:

  • Detection—Logs events and builds traffic statistics for the profile but does not limit or block traffic.
  • Prevention—Limits and blocks traffic that exceeds thresholds.
Outbound operating mode Set the mode for traffic received from LAN-side interfaces:

  • Detection—Logs events and builds traffic statistics for the profile but does not limit or block traffic.
  • Prevention—Limits and blocks traffic that exceeds thresholds.
SYN Flood Mitigation Mode
SYN flood mitigation direction

Enable/disable the feature for one or both traffic directions.

 

Note: If you do not enable SYN flood mitigation, and the TCP session feature control SYN Validation option is enabled, then during a flood, packets from sources not in the legitimate IP address table are not given the opportunity to complete the antispoofing challenge. The packets will be dropped.
SYN with payload direction

Enable/disable the feature in one or both traffic directions.

A SYN packet with payload is an anomaly that indicates an attack known as a Tsunami SYN Flood. We recommend you enable this feature for inbound traffic. The only reason to disable is if you are running tests with tools that generate SYN packets with payload.

Drops due to this anomaly are logged as L4 Anomaly events and included in the Layer 4 Anomaly graphs.
SYN flood mitigation mode
  • ACK cookie—Sends the client two ACK packets: one with a correct ACK number and another with a wrong number. The system determines whether the source is spoofed based on the client’s response. If the client’s response indicates that the source is not spoofed, FortiDDoS allows the connection and adds the source to the legitimate IP address table. Fortinet recommends this option if you have enough bandwidth in the reverse direction of the attack.
  • SYN cookie—Sends a SYN/ACK with a cookie value in the TCP sequence field. If it receives an ACK back with the right cookie, an RST/ACK packet is sent and the IP address is added to the legitimate IP address table. If the client then retries, it succeeds in making a TCP connection. Fortinet recommends this option if you cannot use ACK Cookie and you anticipate high volume attacks. Fortinet recommends this option if you cannot use ACK Cookie and you anticipate high volume attacks.
  • SYN retransmission—Drops the initial SYNs to force the client to send a SYN again. If the expected number of retransmitted SYNs arrive within the predetermined time period, the system considers the source to be legitimate. FortiDDoS then allows the connection to go through and adds the source to the legitimate IP address table. Fortinet recommends this option if you cannot use ACK Cookie and you anticipate low volume attacks.
Adaptive Mode
Adaptive mode
  • Fixed—Does not use the adaptive limit. The configured minimum thresholds are the maximum limits.
  • Adaptive—Uses the adaptive limit. The configured minimum thresholds multiplied by the adaptive limit are the maximum limits.
Adaptive limit A percentage of the configured minimum threshold that establishes the upper limit of the estimated threshold. The adaptive limit is an upper rate limit beyond which the system blocks all traffic. The valid range is 100% to 300%.

For example, the default is 150%. The system uses the dynamic threshold estimation algorithm to raise the calculated threshold up to 150% of the value of the configured minimum threshold. Thus, if the inbound threshold for Protocol 17 (UDP) is 10,000, the threshold never falls below 10,000 and never exceeds 15,000.

When the adaptive limit is 100, the system does not use dynamic threshold estimation to adjust thresholds.

To configure with the CLI, use a command sequence similar to the following:

config spp

edit <spp_name>

config ddos spp setting

set inbound-operating-mode {detection|prevention}

set outbound-operating-mode {detection|prevention}

set syn-flood-mitigation-direction {inbound|outbound}

set syn-flood-mitigation-mode {syn-cookie | ack-cookie | syn-retransmission}

set syn-with-payload-direction {inbound|outbound}

set adaptive-mode adaptive

set adaptive-limit <percent_int>

end

end

Source Tracking tab

Use this tab to configure packet count multipliers for identified source attackers and Layer 7 HTTP and DNS attacks.

The following table provides guidelines.

 Table 36:   SPP configuration - Source Tracking tab
Settings Guidelines
Source multiplier inbound / outbound Applies the specified multiplier to the packet count for traffic with a source IP address that the system has identified as the source of a flood. In effect, the multiplier makes traffic from the source violate thresholds sooner. The default is 2.

For example, if the most active source threshold is 100 packets per second, and the source multiplier is 4, an identified source attacker will violate the threshold if it sends 26 packets per second. Because incoming traffic is more likely to be the source of a threat, you can configure different multipliers for incoming and outgoing traffic.
Layer 7 multiplier inbound / outbound Applies the specified multiplier to the packet count for traffic that the system has detected is related to a Layer 7 HTTP flood. The system tracks HTTP headers (URL or Host, Referer, Cookie or User-Agent header) and associates traffic with matching headers with the attack. The default is 2.

Note: When both Source flood and Layer 7 flood conditions are met, the packet count multipliers are compounded. For example, when there is a User Agent flood attack, a source is sending a User-Agent that is overloaded. If the Source multiplier is 4 and the Layer 7 multiplier is 64, the total multiplier that is applied to such traffic is 4 x 64 = 256. In effect, each time the source sends a Layer 7 packet with that particular User-Agent header, FortiDDoS considers each packet the equivalent of 256 packets.

 

To configure with the CLI, use a command sequence similar to the following:

config spp

edit <spp_name>

config ddos spp setting

set source-multiplier-inbound <integer>

set source-multiplier-outbound <integer>

set layer-7-multiplier-inbound <integer>

set layer-7-multiplier-outbound <integer>

end

end

TCP tab

Use this tab to configure:

Table 35 provides summary guidelines.

Special guidelines apply to TCP session feature control when the system is deployed in Detection Mode or Asymmetric Mode. Make sure you understand the recommendations in Understanding FortiDDoS Detection Mode or Understanding FortiDDoS Asymmetric Mode.

 Table 37:   SPP configuration - TCP tab

Settings Guidelines
TCP session feature control

Select one or more of the following options to detect TCP state anomalies:

  • Sequence validation—The FortiDDoS TCP state machine ensures that TCP sequence numbers for the packets within a session are valid.
  • SYN validation—Required to support SYN Flood Mitigation.

    If SYN Validation is not enabled, packets are not dropped during a SYN flood.

    If SYN Validation is enabled, during a SYN flood, the TCP state machine allows only TCP SYNs from IP addresses in the legitimate IP address (LIP) table (sources that have done a three-way handshake in the recent past). SYNs from source IP addresses that do not have an entry in the LIP table must pass a SYN Flood Mitigation challenge to be added to the LIP table.
  • State transition anomalies validation—The TCP state machine ensures that TCP state transitions follow the rules. For example, if an ACK packet is received when FortiDDoS has not observed a SYN/ACK packet, it is a state transition anomaly.
  • Foreign packet validation—The TCP state machine drops TCP packets without an existing TCP connection and reports them as a foreign packet. In most cases, the foreign packet validation is useful for filtering out junk, but enabling it is not important. The number of foreign packets can be high, so the system does not store the source and destination of each packet. Therefore, you might not be able to determine the origin of a foreign packet. Foreign packet drops are logged in the DDoS Attack Log (State Anomalies event).

Important: See TCP session state anomalies for recommended settings for Detection Mode, Prevention Mode, and Asymmetric Mode.

The configuration also enables you to allow some TCP state sequences that the system would otherwise detect as a TCP state anomaly when the anomaly detection options are enabled.

Select the following options to enable them:

  • Allow tuple reuse—Allow this exception to Sequence validation (if enabled). Otherwise, these are logged as a “State Anomalies: Outside window” event. When the “allow” option is enabled, the FortiDDoS TCP state machine updates the TCP entry when a tuple is reused. This update occurs only during the closed or close-wait, fin-wait, time-wait states, when the connection is just about to retire. Useful in testing environments where test equipment reuses tuples in rapid succession. Enabled by default. Cannot be disabled.
  • Allow duplicate SYN-in-SYN-SENT—Allow this exception to Sequence validation (if enabled). Otherwise, these are logged as a “State Anomalies: Outside window” event. When the “allow” option is enabled, the TCP state machine allows duplicate TCP SYN packets during the SYN-SENT state. It allows this type of packet even if the sequence numbers are different. Disabled by default. We suggest you enable this in Detection Mode.
  • Allow duplicate SYN-in-SYN-RECV—Allow this exception to Sequence validation (if enabled). Otherwise, these are logged as a “State Anomalies: Outside window” event. When the “allow” option is enabled, the TCP state machine allows duplicate TCP SYN packets during the SYN-RECV state. It allows this type of packet even if the sequence numbers are different. Disabled by default. Normally these violations are not expected in real-world traffic but might be seen in test environments.
  • Allow SYN anomaly, Allow SYN-ACK anomaly, Allow ACK anomaly, Allow RST anomaly, Allow FIN anomaly—Allow these exceptions to State transition anomalies (if enabled). Otherwise, these are logged as a “State Anomalies: State transition error” event. When the “allow” options are enabled, the TCP state machine allows duplicate TCP packets during any other state even if the sequence numbers are different from the existing connection entry. This is equivalent to allowing the packet without updating an existing connection entry with the new information from the allowed packet. Disabled by default. Normally these violations are not expected in real-world traffic but might be seen in test environments. In most cases, these options should remain disabled to enforce TCP compliance.
Aggressive aging TCP connections feature control

Select to enable aggressive aging options:

  • Layer 7 flood—Sends a TCP RST to the destination server to reset idle connections when a Layer 7 flood is detected.
  • High concurrent connections per source—Sends a TCP RST to the destination server to reset idle connections from the identified source when the maximum is reached for the concurrent-connection-per-source threshold.
  • Track slow TCP connections—Sends a TCP RST to the destination server to reset idle connections from the identified source when the slow connection attack thresholds set on the Global Settings > Settings page are reached. Slow connection detection events are logged in the DDoS Attack Log (Slow Connection: Agrressive Aging).

For more information, see Aggressive aging.
Source blocking for slow connections Enable/disable applying the source blocking when slow connection attacks are detected.

To configure with the CLI, use a command sequence similar to the following:

config spp

edit <spp_name>

config ddos spp setting

set tcp-session-feature-control {sequence-validation syn-validation state-transition-anomalies-validation foreign-packet-validation allow-tuple-reuse allow-duplicate-syn-in-syn-sent allow-duplicate-syn-in-syn-recv allow-syn-anomaly allow-syn-ack-anomaly allow-ack-anomaly allow-rst-anomaly allow-fin-anomaly}

set aggressive-aging-feature-control {layer7-flood high-concurrent-connection-per-source track-slow-tcp-connections}

set source-blocking-for-slow-connections {enable|disable}

end

end

DNS Anomalies tab

Use this tab to configure DNS traffic anomaly detection. We recommend you enable all DNS anomaly detection options. The configuration is "open" for testing and troubleshooting purposes.

The following table describes the settings.

 Table 38:   SPP configuration - DNS Anomalies tab

Settings Guidelines
DNS header anomaly
  • Invalid op-code—Invalid value in the OpCode field.
  • SP, DP both 53—Normally, all DNS queries are sent from a high-numbered source port (49152 or above) to destination port 53, and responses are sent from source port 53 to a high-numbered destination port. If the header has port 53 for both, it is probably a crafted packet.
  • Illegal flag combination—Invalid combination in the flags field.
DNS query anomaly
  • Query bit set—DNS query with the query reply (QR) bit set to 1. In a legitimate query, QR=0.
  • RA bit set—DNS query with the recursion allowed (RA) bit set. The RA bit is set in responses, not queries.
  • Null query—DNS query in which the question, answer, additional, and name server counts are 0.
  • QDCNT not 1 in query—Number of entries in the question section of the DNS packet is normally 1. Otherwise, it might be an exploit attempt.
DNS response anomaly
  • QCLASS in reply—DNS response with a resource specifying a CLASS ID reserved for queries only (QCLASS).
  • Query bit not set—DNS response with the query reply (QR) bit set to 0. In a legitimate response, QR=1.
  • QTYPE in reply—DNS response with a resource specifying a TYPE ID reserved for queries only (QTYPE).
  • QDCNT not 1 in response—Number of entries in the question section of the DNS packet is normally 1. Otherwise, it might be an exploit attempt.
DNS buffer overflow anomaly
  • TCP Message too long—TCP query or response message that exceeds the maximum length specified in the message header.
  • Label length too large—Query or response with a label that exceeds the maximum length (63) specified in the RFC.
  • UDP message too long—UDP query or response message that exceeds the maximum length specified in the message header.
  • Name too long—DNS name that exceeds 255 characters. This can cause problems for some DNS servers.
DNS exploit anomaly
  • Pointer loop—DNS message with a pointer that points beyond the end of data (RFC sec4.1.4). This is an exploit attempt.
  • Class is not IN—A query/response in which the question/resource address class is not IN (Internet Address). Although allowed by the RFC, this is rare and might indicate an exploit attempt.
  • Message ends prematurely—A message that ends prematurely might indicate an exploit attempt.
  • Zone transfer—An asynchronous Transfer Full Range (AXFR) request (QTYPE=252) from untrusted networks is likely an exploit attempt.
  • Empty UDP message—An empty message might indicate an exploit attempt.
  • TCP Buffer underflow—A query/response with less than two bytes of data specified in the two-byte prefix field.
DNS info anomaly
  • Type ALL used—Detects a DNS request with request type set to ALL (QTYPE=255).
DNS data anomaly
  • Invalid type, class—A query/response with TYPE or CLASS reserved values.
  • TTL too long—TTL value is greater than 7 days (or 604800 seconds).
  • Extraneous data—A query/response with excess data in the packet after valid DNS data.
  • Name length too short—A query/response with a null DNS name.

 

To configure with the CLI, use a command sequence similar to the following:

config spp

edit <spp_name>

config ddos spp setting

set dns-anomaly-feature-control {premature-end-of-packet extraneous-data long-ttl qclass-in-reply qtype-in-reply class-not-in invalid-class-type type-all zone-transfer pointer-loop long-name-length long-label-length short-name-length qr-bit-set qr-bit-not-set null-query qd-count-not-one-in-response qd-count-not-one-in-query illegal-flag-combination ra-bit-set invalid-op-code empty-udp tcp-message-long udp-message-long sp-equals-dp tcp-buffer-underflow }

end

end

 

DNS Feature Controls tab

Use this tab to configure DNS feature controls. We recommend you enable all mitigation features. The configuration is "open" for testing and troubleshooting purposes. For an overview of DNS features, see Understanding FortiDDoS DNS attack mitigation.

The following table provides guidelines.

 Table 39:   SPP configuration - DNS Feature Control tab

Settings Guidelines
Match responses with queries (DQRM)

Enable/disable the DNS query response match (DQRM) table.
Allow only valid queries under flood (LQ)

Enable/disable the legitimate query (LQ) table.
Validate TTL for queries from the same IP under flood

Enable/disable the time-to-live (TTL) table.
DNS UDP Anti-spoofing Method inbound/outbound

Enable/disable anti-spoofing checks for inbound and outbound UDP DNS traffic.

DNS flood mitigation mode inbound/outbound

Specify the antispoofing method if the source IP address is not already in the legitimate IP table (LIP):

  • Force TCP (TC=1)—Return a DNS response to the client that has the DNS Truncate bit set and no response record data. A properly implemented DNS client will respond to the spoofed response by retrying the original DNS query using TCP port 53.
  • DNS Query Retransmission—Drop packets and test for valid retransmission. A valid client is expected to retransmit the queries within preset time windows.
Generate response from cache under flood

Enable/disable DNS caching.
Force TCP or forward to server when no cache response available

If DNS caching is enabled, one of the following behaviors must be configured:

  • Force TCP (TC=1)—Return a DNS response to the client that has the DNS Truncate bit set and no response record data. A properly implemented DNS client will respond to the spoofed response by retrying the original DNS query using TCP port 53.
  • Forward to Server—Forward the DNS query to the DNS server.
Duplicate query check before response Enable/disable checks for repeated queries from the same source. If enabled, under non-flood conditions, the system checks and drops repeated UDP/TCP queries from the same source if it sends them at a rate greater than 3 per second. Under flood conditions, the duplicate query check is done for TCP and not for UDP.
Block identified sources

Enable/disable source IP address blocking periods for violators of any DNS-protection feature (ACL, anomalies, or flood meters). Disabled by default. DNS floods are often spoofed, so we do not recommend blocking an identified source to avoid punishing legitimate clients. Instead, we recommend you rely on the other DNS protection methods. They make packet-by-packet determinations, and are not prone to false positives.

The configuration is open, allowing you to enable source blocking if you want to experiment with it in your network. If enabled, when a threshold is reached, packets are dropped and the identified sources are subject to the Blocking Period for Identified Sources configured on the Global Settings > Settings page.

When disabled, DNS per-source thresholds (dns-query-per-source and dns-packet-track-per-source) are not tracked and the following graohs will not be updated:

  • Layer 7 > DNS > Query Per Source > DNS Query Per Source Egress Max Packet Rate/Sec
  • Layer 7 > DNS > Suspicious Sources > Packet Track Per Source Egress Max Packet Rate/Sec

 
Restrict DNS Queries to Specific Subnets

Enable/disable restriction to DNS queries from unwanted sources from the Internet.

This feature allows service providers to protect their recursive or open DNS resolvers. In a typical deployment, the service provider will keep their open resolvers on the LAN or the protected side and their own customers will be on the Internet side. On the Internet side, there will also be the authoritative servers, and rogue DNS clients who send unwanted DNS query floods.

To ensure that the DNS queries are only allowed from the service provider’s customers, the service provider must add those subnets into the Restricted Subnets list. By restricting the DNS queries to specific subnets, the service provider can avoid responding to unwanted queries and thus protecting DNS infrastructure from getting overloaded.

 

To configure with the CLI, use a command sequence similar to the following:

config spp

edit <spp_name>

config ddos spp setting

set dns-authentication-direction {inboud|outbound}

set dns-flood-mitigation-mode-inbound {TC-equal-one|dns-retransmission}

set dns-flood-mitigation-mode-outbound {TC-equal-one|dns-retransmission}

set match-response-with-queries {enable|disable}

set validate-ttl-for-queries-from-the-same-ip {enable|disable}

set generate-response-from-cache-under-flood {enable|disable}

set allow-only-valid-queries-under-flood {enable|disable}

set source-blocking-in-dns {enable|disable}

set duplicate-query-check {enable|disable}

set force-tcp-or-forward-to-server {force-tcp|forward-to-server}

set restrict-dns-queries-to-specific-subnets {enable/disable}

end

end