This section includes the following topics:
Legitimate traffic conforms with standards set out in Internet Engineering Task Force (IETF) documents known as Requests for Comments (RFC). Traffic that does not conform with RFCs is anomalous. Often, anomalous traffic contains malicious components. In any case, it should be dropped to prevent resource issues.
The FortiDDoS system drops and logs the following Layer 3 anomalies:
The FortiDDoS system drops and logs the following Layer 4 anomalies:
TCP session state anomalies are a symptom of an attack or invalid junk traffic, but they can also be seen as a by-product of traffic load tools used in test environments. You can use the Protection Profiles > SPP Settings configuration page to enable detection for TCP session state anomalies and to allow for the anomalies that are sometimes triggered by traffic load tools.
Table 6 summarizes recommended settings for TCP session state for the FortiDDoS deployment modes. In a typical Prevention Mode deployment where FortiDDoS receives both sides of the TCP connection, all settings are available and can be useful. Some settings are not appropriate when FortiDDoS is deployed in Detection Mode or Asymmetric Mode. See Understanding FortiDDoS Detection Mode or Understanding FortiDDoS Asymmetric Mode for additional information on the guidelines for those modes.
Table 6: TCP session state anomalies detection options
Setting | Detection Mode | Prevention - Symmetric |
Prevention - Asymmetric |
---|---|---|---|
Sequence validation
Drops packets with invalid TCP sequence numbers. |
Do not enable | Recommended | Do not enable |
SYN validation
Drops SYNs during a flood if the source has not completed the TCP three-way handshake. |
Do not enable | Recommended | Recommended |
State transition anomalies validation
Drops packets with TCP state transitions that are invalid. For example, if an ACK packet is received when FortiDDoS has not observed a SYN/ACK packet, it is a state transition anomaly. |
Do not enable | Recommended | Do not enable |
Foreign packet validation
Drops TCP packets without an existing TCP connection and reports them as a foreign packet. In most cases, the foreign packets validation is useful for filtering out junk. |
Do not enable | Recommended | Recommended |
Allow tuple reuse
Allows tuple reuse. Updates the TCP entry during the closed or close-wait, fin-wait, time-wait states, when the connection is just about to retire. |
Recommended | Recommended | Recommended |
Allow duplicate SYN-in-SYN-SENT
Allows duplicate TCP SYN packets during the SYN-SENT state. It allows this type of packet even if the sequence numbers are different. |
Recommended | Useful in some lab environments | Useful in some lab environments |
Allow duplicate-SYN-in-SYN-RECV
Allows duplicate TCP SYN packets during the SYN-RECV state. It allows this type of packet even if the sequence numbers are different. |
Do not enable | Useful in some lab environments | Do not enable |
Allow SYN anomaly, Allow SYN-ACK anomaly, Allow ACK anomaly, Allow RST anomaly, Allow FIN anomaly Allows duplicate TCP packets during any other state even if the sequence numbers are different from the existing connection entry. This is equivalent to allowing the packet without updating an existing connection entry with the new information from the allowed packet. |
Do not enable | Seldom necessary but available in case these anomalies are false positives in legitimate traffic. | Do not enable |
You can use the Global Settings > Settings > General tab to enable detection for the following HTTP anomalies:
DNS anomalies are packet or session state irregularities known to be exploited by attackers.
Table 7 lists the types of DNS anomalies that can be detected.
Group | Anomaly |
---|---|
DNS header anomaly |
|
DNS query anomaly |
|
DNS response anomaly |
|
DNS buffer overflow anomaly |
|
DNS exploit anomaly |
|
DNS info anomaly | Type ALL used—Detects a DNS request with request type set to ALL (QTYPE=255). Typical user queries to not request ALL. |
DNS data anomaly |
|