This section includes the following information:
We recommend you use the system recommendation feature to set thresholds for most types of traffic. The system recommendation procedure sets the configured minimum threshold to a percentage of the generated baseline rates.
You use the Protection Profiles > Thresholds > System Recommendation page to set the multiplier for each OSI layer. The resulting configured minimum thresholds are populated on the Protection Profiles > Thresholds > Thresholds page. As you become a FortiDDoS expert, you can tune the thresholds on the Protection Profiles > Thresholds > Threshold page.
Table 40 explains how the system recommendation feature sets thresholds.
Before you begin:
Settings | Guidelines |
---|---|
Layer <N> adjustment |
|
Layer <N> percentage | Multiply the generated maximum rates by the specified percentage to compute the recommended thresholds. For example, if the value is 100%, the threshold is equal to the generated maximum rate. If it is 300%, the threshold is three times the generated maximum rate. The default adjustment for Layer 3 is 300. The default for Layer 4 is 200. The default for Layer 7 is 200. The valid range is 100 to 500. |
Layer <N> low traffic threshold | Specify a minimum threshold to use instead of the recommended rate when the recommended rate is lower than this value. This setting is helpful when you think that the generated maximum rates are too low to be useful. The default is 1000. For example, assume the generated maximum packet rate for inbound Layer 4 TCP packets is 2,000 and the outgoing rate is 3,000. The value of Layer 4 percentage is 300 (percent) and the value of Layer 4 low traffic threshold is 8,000. In this example, the recommended threshold for inbound packets is 8,000 (2,000 * 300% = 6,000). However, because 6,000 is less than the low traffic threshold of 8,000, the system sets the threshold to 8,000.In this example, the recommended threshold for outbound packets is 9,000 (3,000 * 300% = 9,000). Because 9,000 is greater than the low traffic threshold of 8,000, the system sets the threshold to 9,000. |
To configure with the CLI, use a command sequence similar to the following:config spp edit <spp_name> config ddos spp threshold-adjust set threshold-adjustment-type system-recommendation set threshold-system-recommended-report-period {1-hour | 8-hours | 1-day | 1-week | 1-month | 1-year} set threshold-system-recommended-layer-3 {layer3-percentage | layer3-factory-defaults} set threshold-system-recommended-layer-3-percentage <percent> set threshold-system-recommended-layer-3-low-traffic <integer> set threshold-system-recommended-layer-4 {layer4-percentage | layer4-factory-defaults} set threshold-system-recommended-layer-4-percentage <percent> set threshold-system-recommended-layer-4-low-traffic <integer> set threshold-system-recommended-layer-7 {layer7-percentage | layer7-factory-defaults} set threshold-system-recommended-layer-7-percentage <percent> set threshold-system-recommended-layer-7-low-traffic <integer> end |
Note the following:
To avoid generating too many high (>1023) TCP and UDP port ranges, the approach for System Recommendation has been changed in 4.3.0.
The System Recommendations now creates a single port range from 1024 through 65535 and assigns inbound and outbound thresholds which are calculated as the maximum packet rate of all these ports for that SPP.
Note that traffic originating from high ports and terminating on “service” ports (<1024) is always as associated with the service port in either direction. That ensures that the graphs and reports are showing HTTP (80) or SMTP (25) application traffic rather than randomly-selected high ports used by the application or firewall.
Other changes include the following:
Prior to setting System Recommendations, Traffic Statistics should be checked for high traffic on ports above 1024. This could include:
After System Recommendations have been created, it may be necessary to manually configure high port ranges if:
You use the Protection Profiles > Thresholds > Thresholds page to review system recommended thresholds and to make manual adjustments as you fine tune the configuration.
One of the key features of the FortiDDoS solution is the availability of system recommended thresholds that are adapted automatically according to statistical trends and tested heuristics. We recommend that in most cases, you should rely on the system intelligence. In some cases, such as demonstration, test, and troubleshooting situations, you might want to specify user-defined values for one or more thresholds. The threshold configuration is open, and can be updated manually.
Before you begin:
Settings | Guidelines | Graphs |
---|---|---|
Scalars | ||
syn | Packet/second rate of SYN packets received. Threshold for a SYN Flood event. When total SYNs to the SPP exceeds the threshold, the SYN flood mitigation mode tests are applied to all new connection requests from IP addresses that are not already in the legitimate IP address table. | Layer 4 |
new-connections | Connection/second rate of new connections. Threshold for zombie floods (when attackers hijack legitimate IP addresses to launch DDoS attacks). When it detects a zombie flood, FortiDDoS blocks all new connection requests for the configured blocking period. In order to be effective, the new-connections threshold should always be higher than the syn threshold. We recommend that you use the FortiDDoS generated threshold unless you have a specific reason to change it. | Layer 4 |
syn-per-src | Packet/second rate of SYN packets from any one source. No single source in an SPP is allowed to exceed this threshold. Threshold for a SYN Flood From Source event.The system applies the blocking period for identified sources. | Layer 4 |
most-active-source | Packet/second rate for the most active source. A source that sends packets at a rate that surpasses this threshold is considered a threat. Threshold for a source flood. No single source in an SPP is allowed to exceed this threshold, and the system applies the blocking period for identified sources. | Layer 3 |
concurrent-connections-per-source | Count of TCP connections from a single source. The TCP connection counter is incremented when a connection moves to the established state and decremented when a sessions is timed out or closes. This threshold is used to identify suspicious source IP behavior. An inordinate number of connections is a symptom of both slow and fast TCP connection attacks. The system applies the blocking period for identified sources. If the aggressive aging high-concurrent-connection-per-source option is enabled, the system also sends a TCP RST to the server to reset the connection. | Layer 4 |
syn-per-dst | Packet/second rate for SYN packets to a single destination. When the per-destination limits are exceeded for a particular destination, the SYN flood mitigation mode tests are applied to all new connection requests to that particular destination. Traffic to other destinations is not subject to the tests.The system applies the blocking period for identified sources. | Layer 4 |
method-per-source | Packet/second rate for Method packets (GET, HEAD, OPTION, POST, etc) from a single Source. When the per-source limits are exceeded for a particular source, the system applies the blocking period for identified sources. The connection to the server may also be RST if Protection Profiles > SPP Settings > TCP Tab: Aggressive Aging TCP Connections Feature Control: Layer 7 Flood is enabled. | Layer 7 |
most-active-destination | Packet/second rate for the most active destination. A destination that is sent packets at this rate is considered under attack. Threshold for a destination flood. | Layer 3 |
fragment | Packet/second rate of fragmented packets received. Although the IP specification allows IP fragmentation, excessive fragmented packets can cause some systems to hang or crash. | Layer 3 |
dns-query | Queries/second. Threshold for a DNS Query Flood event. | Layer 7 |
dns-question-count | Question count/second. Threshold for a DNS Question Flood event. | Layer 7 |
dns-mx-count | Packet/second rate of DNS queries for MX records (QTYPE=15). Threshold for a DNS MX Flood event. | Layer 7 |
dns-all | Packet/second rate of DNS queries for all DNS records (QTYPE=255). Threshold for a DNS ALL Flood event. | Layer 7 |
dns-zone-xfer | Packet/second rate of DNS zone transfer (AXFR) queries (QTYPE=252). Threshold for a DNS Zone Transfer Flood event. | Layer 7 |
dns-fragment | Packet/second rate of fragmented packets received. Threshold for a DNS Fragment Flood event. | Layer 7 |
dns-query-per-src | Packet/second rate of normal DNS queries from any one source. No single source in an SPP is allowed to exceed this threshold. Threshold for a DNS Query Per Source flood event. The system applies the blocking period for identified sources. | Layer 7 |
dns-packet-track-per-src | Packet/second rate of a source that demonstrates suspicious activity (a score based on heuristics that count fragmented packets, response not found in DQRM, or queries that generate responses with RCODE other than 0). Threshold for a DNS Suspicious Sources flood event. The system applies the blocking period for identified sources. | Layer 7 |
HTTP Methods | ||
HTTP/1.1 uses the following set of common methods:
|
Packet/second rate for the specified HTTP method. Threshold for an HTTP method flood attack. When the maximum rate is reached, the system drops packets matching the parameter. If the aggressive aging layer7-flood option is enabled, the system also sends a TCP RST to the server to reset the connection. | Layer 7 |
Protocols | ||
Protocol Start / End | Packet/second rate for the specified protocol. Threshold for a Protocol Flood event. When you specify a threshold for protocols, enter a range, even if you are specifying a threshold for a single protocol. For example, to set a threshold for protocol 6, enter 6 for both Protocol Start and Protocol End. |
Layer 3 |
TCP Ports | ||
Port Start / End | Packet/second rate for the specified TCP port. Threshold for a Port Flood event. Monitoring the packet rate for ports is helpful to prevent floods against a specific application such as HTML, FTP, SMTP or SQL. TCP accommodates 64K (65,536) ports, most of which may never be used by a particular server. Conversely, a server might see most or all of its traffic on a small group of TCP ports. For this reason, globally assigning a single threshold to all ports generally does not provide useful protection. However, you can globally set a (usually low) TCP Port Threshold for all TCP ports and then manually configure a higher threshold for the ports your protected network is using. When you specify a threshold for ports, you enter a range, even if you are specifying a threshold for a single port. For example, to set a threshold for port 8080, enter 8080 for both Port Start and Port End. |
Layer 4 |
UDP Ports | ||
Port Start / End | Packet/second rate for the specified UDP port.Threshold for a Port Flood event. When you specify a threshold for ports, you enter a range, even if you are specifying a threshold for a single port. For example, to set a threshold for port 53, enter 53 for both Port Start and Port End. |
Layer 4 |
ICMP Types/Codes |
|
|
ICMP Type/Code Start/End | Packet/second rate for the specified ICMP type/code range. The ICMP header includes an 8-bit type field, followed by an 8-bit code field. Threshold for an ICMP Type/Code Flood event. A popular use for ICMP is the “Echo groping” message (type 8) and its corresponding reply (type 0), which are often useful tools to test connectivity and response time. In some cases, this message and reply can also be used as an attack weapon to effectively disable a target system’s network software. Take care when you set the ICMP type 0 and type 8 thresholds to ensure the desired functionality is preserved. |
Layer 4 |
HTTP |
|
|
URL | Packet/second rate for packets with the specified URL match. When the maximum rate is reached, the system drops packets matching the parameter. If the aggressive aging layer7-flood option is enabled, the system also sends a TCP RST to the server to reset the connection. Specify the URL for a specific website. Botnets make it easy to launch attacks on specific URLs. When such an attack happens, FortiDDoS can isolate the URL and limit just the traffic that is associated with it, while all other traffic is unaffected. The URL is found in the website’s HTTP GET or POST operations. For example, the URL for http://www.website.com/index.html is /index.html. When you specify a threshold for a URL, the system generates a corresponding hash index value. FortiDDoS displays the hash index value in the list of URL thresholds. Make note of it. You use the hash value to select this URL elsewhere in the web UI. To view statistics associated with the threshold, go to Monitor > Specific Graphs > URLs, and then, for Please enter URL/Hash index, enter either the original URL you specified or the hash index value. The valid range of hash index values for URLs is 0-32k per SPP. |
Layer 7 |
You can use the special prefix sys_reco_v to create hash index ranges that aggregate URLs that you are interested in only as an aggregate. For example, assume your team wants to pay close attention to a five websites, and all others can be treated essentially the same. With the first five, your configuration is specific, so you know the website URL and the corresponding hash index, and you can use FortiDDoS to track it specifically. The system does not track the others with specificity, but you can track, as an aggregate, whether those sites experience rising and falling rates, including attacks.
Note: You cannot carve out a small block out of a large block. If you want to use hash index values that are already in use, you must delete the existing range and then create two ranges. |
||
Host, Referer, Cookie, User-Agent headers | Packet/second rate for packets with the specified header matches. When the maximum rate is reached, the system drops packets matching the parameter. If the aggressive aging layer7-flood option is enabled, the system also sends a TCP RST to the server to reset idle connections. A connection is deemed idle if it has not sent traffic in the last 2 minutes. Specify HTTP header values. With the advent of botnets, it is easy to launch attacks using scripts. Most of the scripts use the same code. The chances that they all use the same Host, Referer, Cookie, or User-Agent header fields is very high. When such an attack happens, FortiDDoS can easily isolate the four headers among many and limit traffic associated with that specific header, while all other traffic is unaffected. As with URL hash indexes, you can use the sys_reco_v prefix to define hash index ranges that aggregate header values you are not specifically interested in.The valid range of hash index values is 0-511 for each setting for each SPP: Host, Referer, Cookie, User-Agent. |
Layer 7 |
To configure with the CLI, use a command sequence similar to the following:config spp edit <spp_name> config ddos spp scalar-threshold edit <threshold_name> set type {syn |syn-per-src | most-active-source | concurrent-connections-per-source | most-active-destination | method-per-source | fragment | new-connections | syn-per-dst | dns-query | dns-question-count | dns-mx-count | dns-all | dns-zone-xfer | dns-fragment | dns-query-per-src | dns-packet-track-per-src} set inbound-threshold <integer> set outbound-threshold <integer> end config ddos spp protocol-threshold edit <threshold_name> set protocol-start <protocol_int> set protocol-end <protocol_int> set inbound-threshold <integer> set outbound-threshold <integer> end |
In 4.3.0, after the System Recommendations are created, there will only be one range for TCP and UDP “high” (>1023) ports labeled as “sys_reco_v1024_65535”.
If you use specific and/or want to exclude specific high ports, you must enter these manually. You cannot have overlapping port ranges. To add a port or range, first delete the existing range.
For example, if you want to allow Port 4500 for high traffic and leave all others as default:
Note the following:
You can arbitrarily adjust SPP thresholds by percentage. This is useful when you expect a spike in legitimate traffic (for example, because of a news story or an advertising campaign). You can adjust the thresholds by as much as 300%.
Before you begin:
20
. To decrease it by 20 percent, enter -20
.
To configure with the CLI, use a command sequence similar to the following:config spp edit <spp_name> config ddos spp threshold-adjust set threshold-adjustment-type percent-adjust set threshold-percent-adjust <percent_int> end |
You can use the emergency setup option to adjust only certain key thresholds based on empirical knowledge. You can expect these adjustments to protect against common attacks. For example, if you are already under attack, you can use emergency setup to deploy the unit without an initial learning period.
Before you begin:
Settings | Default |
---|---|
Inbound SYN Threshold | 1000 |
Outbound SYN Threshold | 1000 |
Inbound SYN/Source Threshold | 1000 |
Outbound SYN/Source Threshold | 1000 |
Inbound Most Active Source Threshold | 10,000 |
Outbound Most Active Source Threshold | 134217727 |
Inbound Concurrent Connections per Source Threshold | 1000 |
Outbound Concurrent Connections per Source Threshold | 1000 |
To configure with the CLI, use a command sequence similar to the following:edit <spp_name> config ddos spp threshold-adjust set threshold-adjustment-type easy-setup set threshold-easy-setup-inbound-syn-threshold <integer> set threshold-easy-setup-outbound-syn-threshold <integer> set threshold-easy-setup-inbound-syn-per-source-threshold <integer> set threshold-easy-setup-outbound-syn-per-source-threshold <integer> set threshold-easy-setup-inbound-most-active-source-threshold <integer> set threshold-easy-setup-outbound-most-active-source-threshold <integer> set threshold-easy-setup-inbound- concurrent-connections-per-source-threshold <integer> set threshold-easy-setup-outbound- concurrent-connections-per-source-threshold <integer> set threshold-easy-setup-inbound- concurrent-invite-per-source-threshold <integer> set threshold-easy-setup-outbound- concurrent-invite-per-source-threshold <integer> end |
In some situations, you might want to reset thresholds for an SPP. For example:
Table 44 summarizes “factory reset” options.
Task | Menu |
---|---|
Reset the threshold configuration for an SPP. | See below. |
Reset the threshold configuration and clear traffic history for an SPP. | Protection Profiles > Factory Reset > Factory Reset |
Reset the system to its factory state. All SPPs, statistics, and logs will be deleted. | See Resetting the system. |
Before you begin:
To configure with the CLI, use a command sequence similar to the following:config spp edit <spp_name> config ddos spp threshold-adjust set threshold-adjustment-type factory-defaults set threshold-factory-defaults {enable | disable} end |