Chapter 1: Key Concepts > Understanding FortiDDoS Asymmetric Mode

Understanding FortiDDoS Asymmetric Mode

An asymmetric route is one in which the inbound traffic traverses the FortiDDOS system, but outbound traffic takes a route that does not.

Figure  18 shows an asymmetric route when an external client initiates the connection, such as a web server request. The initial TCP SYN traverses the network path where FortiDDoS has been deployed, but the SYN-ACK response takes a different route to the client.

Figure  18:  Asymmetric route when an external client initiates the connection

Figure  19 shows an asymmetric route when the internal resource initiates the connection, such as when a backup server initiates a scheduled job. The TCP SYN takes an out-of-path route, and the SYN-ACK packet is the first packet that FortiDDoS sees for the session.

Figure  19:  Asymmetric route when an internal server initiates the connection

We have two key recommendations if you plan to deploy the FortiDDOS appliance in a network path where asymmetric routes are possible:

In Asymmetric Mode, the system can parse Layer 4 and Layer 7 headers for most floods and URL-related features. If this feature is off, such floods are not detected when two-way session traffic is not completely seen by the appliance.

You must enable both Asymmetric Mode and the Allow Inbound SYN-ACK option so the system can properly handle asymmetric TCP traffic. When enabled, the system treats an inbound SYN-ACK as if a SYN, and it creates an entry for it in the TCP connection table. It does not increment the syn threshold counter, but it does track syn-per-src in order to protect against attacks that might attempt to exploit this behavior.

TCP state anomaly detection depends on tracking a two-way traffic flow, so some feature options on the Protection Profiles > SPP Settings page do not work in Asymmetric Mode. Table 10 summarizes the configuration guidelines for these feature options.

 Table 10:   Recommended TCP state anomaly detection settings in Asymmetric Mode
Settings Guidelines
SYN validation Recommended. This option enables SYN flood mitigation mode.
Sequence validation Do not enable. Depends on tracking a two-way traffic flow.
State transition anomalies validation Do not enable. Depends on tracking a two-way traffic flow.
Foreign packet validation Recommended. In Asymmetric Mode, FortiDDoS can still track foreign packets.
Allow tuple reuse Enabled by default to support standard test environments that reuse tuples in quick succession. The setting is valid in Asymmetric Mode. Recommended to avoid unnecessary logging of the event when it is detected.
Allow duplicate SYN-in-SYN-SENT Not enabled by default, but the setting is valid in Asymmetric Mode. Recommended when FortiDDoS is in Detection Mode to avoid unnecessary logging of the event when it is detected.
Allow duplicate SYN-in-SYN-RECV

Allow SYN anomaly

Allow SYN-ACK anomaly

Allow ACK anomaly

Allow RST anomaly

Allow FIN anomaly		 Do not enable.
Workflow for getting started with Asymmetric Mode
  1. Go to Global Settings > Settings > Settings > Deployment tab and enable the following settings:
  2. Get started in Detection Mode:
    1. For each SPP, go to Protection Profiles > SPP Settings and ensure that the following TCP state anomaly options are enabled and no other:
    2. Enable Detection Mode.
    3. Establish a baseline of traffic statistics and set thresholds.
  3. Change settings to the ones appropriate for Prevention Mode when there is asymmetric traffic:
    1. For each SPP, go to Protection Profiles > SPP Settings and ensure that the following TCP state anomaly options are enabled and no other:
    2. Enable Prevention Mode.