The monitoring and reporting framework is designed to maximize the processing resources that are available for preventing attacks, rather than forensics. In order to conserve resources to withstand multi-gigabyte attacks, the system records only data that it can use to improve security, not all possible Layer 3, Layer 4, and Layer 7 data. As a result, reporting tools such as the DDoS attack log do not always include detailed traffic parameter information. Outside of specific scenarios, the system does not report source and destination IP addresses and ports, protocols, and so on, for every dropped or blocked packet.
It is not uncommon for a FortiDDoS system that is monitoring a 1 Gbps traffic flow to be the target of a 700 Mbps SYN flood for 8 hours. If the system stored every source and destination IP address, port, and protocol, the logging demands (via hard disk, syslog, or SNMP trap) would soon overwhelm the disk or network.
By concentrating its resources on dropping attack traffic and maintaining service, FortiDDoS allows you to focus your attention elsewhere and still provide you with helpful and relevant information when an attack is underway.