In Detection Mode, FortiDDoS logs events and builds traffic statistics for SPPs, but it does not take actions: it does not drop or block traffic, and it does not aggressively age connections. Packets are passed through the system to and from protected subnets. Any logs and reports that show drop or blocking activity are actually simulations of drop or block actions the system would have taken if it were deployed in Prevention Mode.
When you get started with FortiDDoS, you deploy it in Detection Mode for 2-14 days so that the FortiDDoS system can learn the baseline of normal inbound and outbound traffic. The length of the initial learning period depends upon the seasonality of traffic (its predictable or expected variations) and how representative of normal traffic conditions the learning period is. Ensure that there are no attacks during the initial learning period and that it is long enough to be a representative period of activity. If activity is heavier in one part of the week than another, ensure that your initial learning period includes periods of both high and low activity. Weekends alone are an insufficient learning period for businesses that have substantially different traffic during the week. Thus, it is better to start the learning period on a weekday. In most cases, 7 days is sufficient to capture the weekly seasonality in traffic.
At the end of the initial learning period, you can adopt system-recommended thresholds (usually lower than the factory default) and continue to use Detection Mode to review logs for false positives and false negatives. As needed, you repeat the tuning: adjust thresholds and monitor the results.
When you are satisfied with the system settings, change to Prevention Mode. In Prevention Mode, the appliance drops packets and blocks sources that violate ACL rules and DDoS attack detection thresholds.
Important: In Detection Mode, the FortiDDoS system forwards all packets, but a simulated drop might be recorded. TCP session control options depend on the true TCP state, and simulated drops when the appliance is in Detection Mode can lead to unexpected results. For example, if the system records a (simulated) drop for a TCP connection, when subsequent packets arrive for the connection, the system treats them as foreign packets because the state table entry indicates the session has already been closed.
Table 8 summarizes our guidelines for SYN flood mitigation and TCP session state settings in Detection Mode.