Chapter 4: Service Protection Profiles (SPP) > Managing thresholds

Managing thresholds

This section includes the following information:

Using system recommended thresholds

We recommend you use the system recommendation feature to set thresholds for most types of traffic. The system recommendation procedure sets the configured minimum threshold to a percentage of the generated baseline rates.

You use the Protection Profiles > Thresholds > System Recommendation page to set the multiplier for each OSI layer. The resulting configured minimum thresholds are populated on the Protection Profiles > Thresholds > Thresholds page. As you become a FortiDDoS expert, you can tune the thresholds on the Protection Profiles > Thresholds > Threshold page.

Table 40 explains how the system recommendation feature sets thresholds.

 Table 40:   How the system recommendation feature sets thresholds
Threshold Group Notes
Scalar thresholds
  • Thresholds are set to either the observed maximum multiplied by the Layer 3 or Layer 4 percentage, or to the low traffic threshold, whichever is higher.
  • The system recommended procedure sets the following L7 scalar meters to the system maximum rate (not traffic history times Layer 7 adjustment percentage): DNS Query per Source, DNS Packet Track per Source (Suspicious Sources on Monitor Graphs), DNS Question Count.
  • The system recommended procedure sets the following L3 and L4 scalar meters to the system maximum rate (not traffic history times Layer 3 or 4 adjustment percentage): Most Active Destination, New Connections.
Protocol thresholds
  • The system recommendation procedure does not set the threshold for TCP protocol (6) and UDP protocol (17).
TCP/UDP Port,
ICMP Type/Code
  • Packet rates vary across ports, SPPs, and traffic direction.
  • All contiguous TCP/UDP ports or ICMP type/codes that have the same inbound and outbound traffic rates are grouped into ranges.
  • We limit the number of ranges to 512 to optimize the internal configuration database.
  • The system recommendation procedure uses an algorithm to generate a set of ranges and packet rate thresholds for them. The algorithm is based on the following factors:
  • The recorded baseline traffic for ports or type/code from 0 to 64K.
  • If the traffic is below the low traffic value, the low traffic value is considered the baseline.
  • Otherwise, the recorded baseline rates are multiplied by the Layer 4 adjustment percentage.
  • The resulting rates are divided by 512 to determine a round-up factor.
  • Rates are rounded up to next multiple of round-up factor.
  • If the number of ranges is below 512, the thresholds are set.
  • Otherwise, the rates are rounded to the next multiple of round-up factor, and so on, until the number of ranges is below 512. Then, the thresholds are set.
  • The system recommendation procedure does not set the threshold for widely used TCP service ports 20-23, 25, 53, 80, 110, 139, 443 and 590; or TCP/UDP SIP ports 5060 and 5061. It does not set the threshold for user-configured HTTP service ports. The thresholds for these are set to high values.
  • For FortiDDoS models that support DNS features (all models except 600B and 900B), the system recommendation procedure does not set a threshold for UDP port 53 because there are more granular DNS counters to detect floods. For 600B and 900B, the procedure does set a threshold for port 53.
HTTP Method
  • Thresholds are set to either the observed maximum multiplied by the Layer 7 percentage, or to the low traffic threshold, whichever is higher.
URL, Host, Cookie, Referer, User-Agent
  • The rate meters for URLs and HTTP headers are based on indexes.
  • Packet rates vary across these indexes, SPPs, and traffic direction, depending on the time the baseline is taken.
  • The “observed maximum” used by the system recommendation procedure is the packet rate for the 95th percentile of observed rates for all indexes (excluding indexes with zero traffic), unless the number of indexes is unusually low. If low, the highest rate for all indexes is used.
  • Thresholds are set to either the observed maximum multiplied by the Layer 7 percentage, or to the low traffic threshold, whichever is higher.

Before you begin:

To generate the system recommended thresholds:
  1. Go to Protection Profiles > Thresholds > System Recommendation.
  2. Select the SPP you want to configure from the drop-down list.
  3. Complete the configuration as described in Table 41.
  4. Click Save to generate the system recommended thresholds.
  5. Go to Protection Profiles > Thresholds > Thresholds and review the thresholds.

 

 Table 41:   Adjusting the system recommended thresholds
Settings Guidelines
Layer <N> adjustment
  • Percentage—Multiply the generated rates by the specified percentage to compute the recommended thresholds.
  • Factory default— Use factory default values instead of the recommended values. The factory default values are high so that the appliance can be placed inline and not immediately drop traffic.
Layer <N> percentage Multiply the generated maximum rates by the specified percentage to compute the recommended thresholds. For example, if the value is 100%, the threshold is equal to the generated maximum rate. If it is 300%, the threshold is three times the generated maximum rate.

The default adjustment for Layer 3 is 300. The default for Layer 4 is 200. The default for Layer 7 is 200. The valid range is 100 to 500.
Layer <N> low traffic threshold Specify a minimum threshold to use instead of the recommended rate when the recommended rate is lower than this value. This setting is helpful when you think that the generated maximum rates are too low to be useful. The default is 1000.

For example, assume the generated maximum packet rate for inbound Layer 4 TCP packets is 2,000 and the outgoing rate is 3,000. The value of Layer 4 percentage is 300 (percent) and the value of Layer 4 low traffic threshold is 8,000.

In this example, the recommended threshold for inbound packets is 8,000 (2,000 * 300% = 6,000). However, because 6,000 is less than the low traffic threshold of 8,000, the system sets the threshold to 8,000.In this example, the recommended threshold for outbound packets is 9,000 (3,000 * 300% = 9,000). Because 9,000 is greater than the low traffic threshold of 8,000, the system sets the threshold to 9,000.

 

To configure with the CLI, use a command sequence similar to the following:

config spp

edit <spp_name>

config ddos spp threshold-adjust

set threshold-adjustment-type system-recommendation

set threshold-system-recommended-report-period

{1-hour | 8-hours | 1-day | 1-week | 1-month | 1-year}

set threshold-system-recommended-layer-3 {layer3-percentage | layer3-factory-defaults}

set threshold-system-recommended-layer-3-percentage <percent>

set threshold-system-recommended-layer-3-low-traffic <integer>

set threshold-system-recommended-layer-4 {layer4-percentage | layer4-factory-defaults}

set threshold-system-recommended-layer-4-percentage <percent>

set threshold-system-recommended-layer-4-low-traffic <integer>

set threshold-system-recommended-layer-7 {layer7-percentage | layer7-factory-defaults}

set threshold-system-recommended-layer-7-percentage <percent>

set threshold-system-recommended-layer-7-low-traffic <integer>

end

Note the following:

To avoid generating too many high (>1023) TCP and UDP port ranges, the approach for System Recommendation has been changed in 4.3.0.

The System Recommendations now creates a single port range from 1024 through 65535 and assigns inbound and outbound thresholds which are calculated as the maximum packet rate of all these ports for that SPP.

Note that traffic originating from high ports and terminating on “service” ports (<1024) is always as associated with the service port in either direction. That ensures that the graphs and reports are showing HTTP (80) or SMTP (25) application traffic rather than randomly-selected high ports used by the application or firewall.

Other changes include the following:

Prior to setting System Recommendations, Traffic Statistics should be checked for high traffic on ports above 1024. This could include:

After System Recommendations have been created, it may be necessary to manually configure high port ranges if:

Modifying threshold settings

You use the Protection Profiles > Thresholds > Thresholds page to review system recommended thresholds and to make manual adjustments as you fine tune the configuration.

One of the key features of the FortiDDoS solution is the availability of system recommended thresholds that are adapted automatically according to statistical trends and tested heuristics. We recommend that in most cases, you should rely on the system intelligence. In some cases, such as demonstration, test, and troubleshooting situations, you might want to specify user-defined values for one or more thresholds. The threshold configuration is open, and can be updated manually.

Before you begin:

To configure threshold settings:
  1. Go to Protection Profiles > Thresholds > Thresholds.
  2. Select the SPP you want to configure from the drop-down list.
  3. Select the type of statistics from the drop-down list.
  4. Double-click the row for the threshold you want to edit or click Add to create a new entry.
  5. Set thresholds for inbound and outbound traffic for the settings described in Table 42.
  6. Save the configuration.

 

 Table 42:   Threshold settings configuration
Settings Guidelines Graphs
Scalars  
syn Packet/second rate of SYN packets received. Threshold for a SYN Flood event. When total SYNs to the SPP exceeds the threshold, the SYN flood mitigation mode tests are applied to all new connection requests from IP addresses that are not already in the legitimate IP address table. Layer 4
new-connections Connection/second rate of new connections. Threshold for zombie floods (when attackers hijack legitimate IP addresses to launch DDoS attacks). When it detects a zombie flood, FortiDDoS blocks all new connection requests for the configured blocking period. In order to be effective, the new-connections threshold should always be higher than the syn threshold. We recommend that you use the FortiDDoS generated threshold unless you have a specific reason to change it. Layer 4
syn-per-src Packet/second rate of SYN packets from any one source. No single source in an SPP is allowed to exceed this threshold. Threshold for a SYN Flood From Source event.The system applies the blocking period for identified sources. Layer 4
most-active-source Packet/second rate for the most active source. A source that sends packets at a rate that surpasses this threshold is considered a threat. Threshold for a source flood. No single source in an SPP is allowed to exceed this threshold, and the system applies the blocking period for identified sources. Layer 3
concurrent-connections-per-source Count of TCP connections from a single source. The TCP connection counter is incremented when a connection moves to the established state and decremented when a sessions is timed out or closes. This threshold is used to identify suspicious source IP behavior. An inordinate number of connections is a symptom of both slow and fast TCP connection attacks. The system applies the blocking period for identified sources. If the aggressive aging high-concurrent-connection-per-source option is enabled, the system also sends a TCP RST to the server to reset the connection. Layer 4
syn-per-dst Packet/second rate for SYN packets to a single destination. When the per-destination limits are exceeded for a particular destination, the SYN flood mitigation mode tests are applied to all new connection requests to that particular destination. Traffic to other destinations is not subject to the tests.The system applies the blocking period for identified sources. Layer 4
method-per-source Packet/second rate for Method packets (GET, HEAD, OPTION, POST, etc) from a single Source. When the per-source limits are exceeded for a particular source, the system applies the blocking period for identified sources. The connection to the server may also be RST if Protection Profiles > SPP Settings > TCP Tab: Aggressive Aging TCP Connections Feature Control: Layer 7 Flood is enabled. Layer 7
most-active-destination Packet/second rate for the most active destination. A destination that is sent packets at this rate is considered under attack. Threshold for a destination flood. Layer 3
fragment Packet/second rate of fragmented packets received. Although the IP specification allows IP fragmentation, excessive fragmented packets can cause some systems to hang or crash. Layer 3
dns-query Queries/second. Threshold for a DNS Query Flood event. Layer 7
dns-question-count Question count/second. Threshold for a DNS Question Flood event. Layer 7
dns-mx-count Packet/second rate of DNS queries for MX records (QTYPE=15). Threshold for a DNS MX Flood event. Layer 7
dns-all Packet/second rate of DNS queries for all DNS records (QTYPE=255). Threshold for a DNS ALL Flood event. Layer 7
dns-zone-xfer Packet/second rate of DNS zone transfer (AXFR) queries (QTYPE=252). Threshold for a DNS Zone Transfer Flood event. Layer 7
dns-fragment Packet/second rate of fragmented packets received. Threshold for a DNS Fragment Flood event. Layer 7
dns-query-per-src Packet/second rate of normal DNS queries from any one source. No single source in an SPP is allowed to exceed this threshold. Threshold for a DNS Query Per Source flood event. The system applies the blocking period for identified sources. Layer 7
dns-packet-track-per-src Packet/second rate of a source that demonstrates suspicious activity (a score based on heuristics that count fragmented packets, response not found in DQRM, or queries that generate responses with RCODE other than 0). Threshold for a DNS Suspicious Sources flood event. The system applies the blocking period for identified sources. Layer 7
HTTP Methods  
HTTP/1.1 uses the following set of common methods:
  • GET
  • HEAD
  • OPTIONS
  • TRACE
  • POST
  • PUT
  • DELETE
  • CONNECT
 Packet/second rate for the specified HTTP method. Threshold for an HTTP method flood attack. When the maximum rate is reached, the system drops packets matching the parameter. If the aggressive aging layer7-flood option is enabled, the system also sends a TCP RST to the server to reset the connection. Layer 7
Protocols  
Protocol Start / End Packet/second rate for the specified protocol. Threshold for a Protocol Flood event.

When you specify a threshold for protocols, enter a range, even if you are specifying a threshold for a single protocol. For example, to set a threshold for protocol 6, enter 6 for both Protocol Start and Protocol End.		 Layer 3
TCP Ports  
Port Start / End Packet/second rate for the specified TCP port. Threshold for a Port Flood event. Monitoring the packet rate for ports is helpful to prevent floods against a specific application such as HTML, FTP, SMTP or SQL. TCP accommodates 64K (65,536) ports, most of which may never be used by a particular server. Conversely, a server might see most or all of its traffic on a small group of TCP ports. For this reason, globally assigning a single threshold to all ports generally does not provide useful protection. However, you can globally set a (usually low) TCP Port Threshold for all TCP ports and then manually configure a higher threshold for the ports your protected network is using.

When you specify a threshold for ports, you enter a range, even if you are specifying a threshold for a single port. For example, to set a threshold for port 8080, enter 8080 for both Port Start and Port End.		 Layer 4
UDP Ports  
Port Start / End Packet/second rate for the specified UDP port.Threshold for a Port Flood event.

When you specify a threshold for ports, you enter a range, even if you are specifying a threshold for a single port. For example, to set a threshold for port 53, enter 53 for both Port Start and Port End.		 Layer 4
ICMP Types/Codes

 
ICMP Type/Code Start/End Packet/second rate for the specified ICMP type/code range. The ICMP header includes an 8-bit type field, followed by an 8-bit code field. Threshold for an ICMP Type/Code Flood event.

A popular use for ICMP is the “Echo groping” message (type 8) and its corresponding reply (type 0), which are often useful tools to test connectivity and response time. In some cases, this message and reply can also be used as an attack weapon to effectively disable a target system’s network software. Take care when you set the ICMP type 0 and type 8 thresholds to ensure the desired functionality is preserved.		 Layer 4
HTTP

 
URL Packet/second rate for packets with the specified URL match. When the maximum rate is reached, the system drops packets matching the parameter. If the aggressive aging layer7-flood option is enabled, the system also sends a TCP RST to the server to reset the connection.

Specify the URL for a specific website. Botnets make it easy to launch attacks on specific URLs. When such an attack happens, FortiDDoS can isolate the URL and limit just the traffic that is associated with it, while all other traffic is unaffected. The URL is found in the website’s HTTP GET or POST operations. For example, the URL for http://www.website.com/index.html is /index.html.

When you specify a threshold for a URL, the system generates a corresponding hash index value. FortiDDoS displays the hash index value in the list of URL thresholds. Make note of it. You use the hash value to select this URL elsewhere in the web UI. To view statistics associated with the threshold, go to Monitor > Specific Graphs > URLs, and then, for Please enter URL/Hash index, enter either the original URL you specified or the hash index value.

The valid range of hash index values for URLs is 0-32k per SPP.		 Layer 7
  You can use the special prefix sys_reco_v to create hash index ranges that aggregate URLs that you are interested in only as an aggregate. For example, assume your team wants to pay close attention to a five websites, and all others can be treated essentially the same. With the first five, your configuration is specific, so you know the website URL and the corresponding hash index, and you can use FortiDDoS to track it specifically. The system does not track the others with specificity, but you can track, as an aggregate, whether those sites experience rising and falling rates, including attacks.

  1. Create entries for the five priority websites and note their hash index numbers. Let’s assume the hash index numbers are 1, 20, 21, 39, 40.
  2. Create ranges to aggregate the gaps:
    1. The first gap is from 2-19, so you create a configuration named sys_reco_v2_19. This includes hash numbers 2 through 19.
    2. The second gap is from 22-38, so you create a configuration named sys_reco_v22_38.
    3. The next gap is from 41 to the end of the range, so you create a configuration named sys_reco_v41_8192.

Note: You cannot carve out a small block out of a large block. If you want to use hash index values that are already in use, you must delete the existing range and then create two ranges. 		 
Host, Referer, Cookie, User-Agent headers Packet/second rate for packets with the specified header matches. When the maximum rate is reached, the system drops packets matching the parameter. If the aggressive aging layer7-flood option is enabled, the system also sends a TCP RST to the server to reset idle connections. A connection is deemed idle if it has not sent traffic in the last 2 minutes.

Specify HTTP header values. With the advent of botnets, it is easy to launch attacks using scripts. Most of the scripts use the same code. The chances that they all use the same Host, Referer, Cookie, or User-Agent header fields is very high. When such an attack happens, FortiDDoS can easily isolate the four headers among many and limit traffic associated with that specific header, while all other traffic is unaffected.

As with URL hash indexes, you can use the sys_reco_v prefix to define hash index ranges that aggregate header values you are not specifically interested in.

The valid range of hash index values is 0-511 for each setting for each SPP: Host, Referer, Cookie, User-Agent.		 Layer 7
To configure with the CLI, use a command sequence similar to the following:

config spp

edit <spp_name>

config ddos spp scalar-threshold

edit <threshold_name>

set type {syn |syn-per-src | most-active-source | concurrent-connections-per-source | most-active-destination | method-per-source | fragment | new-connections | syn-per-dst | dns-query | dns-question-count | dns-mx-count | dns-all | dns-zone-xfer | dns-fragment | dns-query-per-src | dns-packet-track-per-src}

set inbound-threshold <integer>

set outbound-threshold <integer>

end

config ddos spp protocol-threshold

edit <threshold_name>

set protocol-start <protocol_int>

set protocol-end <protocol_int>

set inbound-threshold <integer>

set outbound-threshold <integer>

end

Adding TCP or UDP Port Ranges

In 4.3.0, after the System Recommendations are created, there will only be one range for TCP and UDP “high” (>1023) ports labeled as “sys_reco_v1024_65535”.

If you use specific and/or want to exclude specific high ports, you must enter these manually. You cannot have overlapping port ranges. To add a port or range, first delete the existing range.

For example, if you want to allow Port 4500 for high traffic and leave all others as default:

  1. Delete the port range “sys_reco_v1024_65535”.
  2. Add port '4500':
  3. Replace deleted range with two ranges:

Note the following:

Adjusting minimum thresholds by percentage

You can arbitrarily adjust SPP thresholds by percentage. This is useful when you expect a spike in legitimate traffic (for example, because of a news story or an advertising campaign). You can adjust the thresholds by as much as 300%.

Before you begin:

To adjust minimum thresholds by percentage:
  1. Go to Protection Profiles > Thresholds > Percent Adjust.
  2. Select the SPP of interest from the drop-down list.
  3. Specify a percentage in the text box. For example, to increase the threshold by 20 percent, enter 20. To decrease it by 20 percent, enter -20.
  4. Save the configuration.
  5. Go to Protection Profiles > Thresholds > Thresholds and verify that the adjustment has been applied.

 

To configure with the CLI, use a command sequence similar to the following:

config spp

edit <spp_name>

config ddos spp threshold-adjust

set threshold-adjustment-type percent-adjust

set threshold-percent-adjust <percent_int>

end

Configuring an emergency setup

You can use the emergency setup option to adjust only certain key thresholds based on empirical knowledge. You can expect these adjustments to protect against common attacks. For example, if you are already under attack, you can use emergency setup to deploy the unit without an initial learning period.

Before you begin:

To configure an emergency setup:
  1. Go to Protection Profiles > Thresholds > Emergency Setup.
  2. Select the SPP you want to configure from the drop-down list.
  3. Adjust the defaults listed in Table 43 according to your empirical knowledge.
  4. Save the configuration.

 

 Table 43:   Emergency setup configuration
Settings Default
Inbound SYN Threshold 1000
Outbound SYN Threshold 1000
Inbound SYN/Source Threshold 1000
Outbound SYN/Source Threshold 1000
Inbound Most Active Source Threshold 10,000
Outbound Most Active Source Threshold 134217727
Inbound Concurrent Connections per Source Threshold 1000
Outbound Concurrent Connections per Source Threshold 1000
To configure with the CLI, use a command sequence similar to the following:

edit <spp_name>

config ddos spp threshold-adjust

set threshold-adjustment-type easy-setup

set threshold-easy-setup-inbound-syn-threshold <integer>

set threshold-easy-setup-outbound-syn-threshold <integer>

set threshold-easy-setup-inbound-syn-per-source-threshold <integer>

set threshold-easy-setup-outbound-syn-per-source-threshold <integer>

set threshold-easy-setup-inbound-most-active-source-threshold <integer>

set threshold-easy-setup-outbound-most-active-source-threshold <integer>

set threshold-easy-setup-inbound- concurrent-connections-per-source-threshold <integer>

set threshold-easy-setup-outbound- concurrent-connections-per-source-threshold <integer>

set threshold-easy-setup-inbound- concurrent-invite-per-source-threshold <integer>

set threshold-easy-setup-outbound- concurrent-invite-per-source-threshold <integer>

end

Restoring factory default threshold settings

In some situations, you might want to reset thresholds for an SPP. For example:

Table 44 summarizes “factory reset” options.

 Table 44:   “Factory reset” options
Task Menu
Reset the threshold configuration for an SPP. See below.
Reset the threshold configuration and clear traffic history for an SPP. Protection Profiles > Factory Reset > Factory Reset
Reset the system to its factory state. All SPPs, statistics, and logs will be deleted. See Resetting the system.

Before you begin:

To reset SPP threshold settings:
  1. Go to Protection Profiles > Thresholds > Factory Defaults.
  2. Select the SPP you want to configure from the drop-down list.
  3. Select Set to Factory Defaults.
  4. Save the configuration.

 

To configure with the CLI, use a command sequence similar to the following:

config spp

edit <spp_name>

config ddos spp threshold-adjust

set threshold-adjustment-type factory-defaults

set threshold-factory-defaults {enable | disable}

end