DoS prevention

You can protect your web assets from a wide variety of denial of service (DoS) attacks.

Some DoS protection features are not supported in all modes of operation. For details, see Supported features in each operation mode.

DoS features are organized by which open system interconnections (OSI) model layer they use primarily to apply the rate limit:

Appropriate DoS rate limits vary by the web application you are protecting. For details, see Reducing false positives.

Configuring application-layer DoS protection

The DoS Protection > Application submenu enables you to configure DoS protection at the network application layer.

For some DoS protection features, the FortiWeb appliance uses session management to track requests.

1.  When a FortiWeb appliance receives the first request from any client, it adds a session cookie to the response from the web server in order to track the session. The client will include the cookie in subsequent requests.

2.  If a client sends another request before the session timeout, FortiWeb examines the session cookie in the request.

See also

Limiting the total HTTP request rate from an IP

You can limit the number of HTTP requests per second, per source IP address.

This feature is similar to DoS Protection > Application > HTTP Flood Prevention. However, this feature can prevent HTTP request floods that involve many different URLs. It also can detect source IP addresses that are shared by multiple clients, and intelligently enforce a separate request rate limit for those IPs, even if those clients do not support cookies.

FortiWeb appliances track the rate of requests from each source IP address, regardless of their HTTP method. If the rate of requests exceeds the limit, FortiWeb performs the Action.

This scan is bypassed if the client’s source IP is a known search engine and you have enabled Allow Known Search Engines.
To configure an HTTP request rate limit

1.  Before you configure the rate limit, enable detection of when source IP addresses are shared by multiple clients. For details, see Advanced settings.

If you do not enable detection of shared IP addresses (Shared IP) , FortiWeb ignores the second threshold, HTTP Request Limit/sec (Shared IP) .

2.  Go to DoS Protection > Application > HTTP Access Limit.

To access this part of the web UI, your administrator’s account access profile must have Read and Write permission to items in the Web Protection Configuration category. For details, see Permissions.

3.  Click Create New.

A dialog appears.

4.  Configure these settings:

Setting name Description
Name Type a unique name that can be referenced in other parts of the configuration. Do not use spaces or special characters. The maximum length is 35 characters.
HTTP Request Limit/sec (Standalone IP)

Type a rate limit for the maximum number of HTTP requests per second from each source IP address that is a single HTTP client.

For example, if loading a web page involves:

  • 1 HTML file request
  • 1 external JavaScript file request
  • 3 image requests

the rate limit should be at least 5, but could be some multiple such as 10 or 15 in order to allow 2 or 3 page loads per second from each client.

For best results, this should be at least as many requests as required to normally load the URL. When a client accesses a web application, it normally requests many files, such as images and style sheets, used by the web page itself. If you set limits too low, it can cause false positive attack detections and block requests. In extreme cases, this could prevent a single web page from fully loading all of its components — images, CSS, and other external files.

The valid range is from 0 to 65,536. The default value is 0. Fortinet suggests an initial value of 500. See also Reducing false positives.

HTTP Request Limit/sec (Shared IP)

Type a rate limit for the maximum number of HTTP requests per second from each source IP address that is shared by multiple HTTP clients.

Typically, this limit should be greater than HTTP Request Limit/sec (Standalone IP).

For example, let’s say a branch office with 10 employees is accessing your website. Some solitary telecommuters also access your website. Each telecommuter has her own IP address. However, the 10 people at the branch office are behind a firewall with NAT, and from the perspective of the Internet appear to have a single source IP address. If the appropriate rate limit for solitary telecommuters is 20 requests/sec., a fair rate limit for the branch office might be 200 requests/sec.:

20 requests/sec/person x 10 persons = 200 requests/sec.

The valid range is from 0 to 65,536. The default value is 0. Fortinet suggests an initial value of 1000. See also Reducing false positives.

Note: If detection of shared IP addresses is disabled, this setting will be ignored and all source IP addresses will be limited by HTTP Request Limit/sec (Standalone IP) instead. See Advanced settings.

Real Browser Enforcement

If you want to return a JavaScript to the client to test whether it is a web browser or automated tool when it exceeds the rate limit, enable this option. If either the client fails the test, or if it does not return results before the Validation Timeout, FortiWeb will apply the Action. If the client appears to be a web browser, FortiWeb will allow the client to exceed the action. See also Bot analysis.

Disable this option to apply the rate limit regardless of whether the client is a web browser such as Firefox or an automated tool such as wget.

Validation Timeout Enter the maximum amount of time that FortiWeb will wait for results from the client for Real Browser Enforcement.
Action

Select which action the FortiWeb appliance will take when it detects a violation of the rule:

  • AlertAccept the request and generate an alert email and/or log message.
  • Alert & DenyBlock the request (or reset the connection) and generate an alert email and/or log message.

    You can customize the web page that FortiWeb returns to the client with the HTTP status code. See Customizing error and authentication pages (replacement messages).

  • Period Block Block subsequent requests from the client for a number of seconds. Also configure Block Period.

    You can customize the web page that FortiWeb returns to the client with the HTTP status code. See Customizing error and authentication pages (replacement messages).

    Tip: For improved performance during a confirmed DDoS, select this option. Attackers participating in the DoS will then be blocked at the IP layer, conserving FortiWeb resources that would otherwise be consumed by scanning each attacker’s request at the HTTP layer, compounding the effects of the DDoS.

    Note: If FortiWeb is deployed behind a NAT load balancer, when using this option, you must also define an X-header that indicates the original client’s IP (see Defining your proxies, clients, & X-headers). Failure to do so may cause FortiWeb to block all connections when it detects a violation of this type.

The default value is Alert.

Caution: This setting will be ignored if Monitor Mode is enabled.

Note: Because the new active appliance does not know previous session history, after an HA failover, for existing sessions, FortiWeb will not be able to enforce actions for this feature. See Sessions & FortiWeb HA.

Note: Logging and/or alert email will occur only if enabled and configured. See Logging and Alert email.

Note: If you will use this rule set with auto-learning, you should select Alert. If Action is Alert & Deny, or any other option that causes the FortiWeb appliance to terminate or modify the request or reply when it detects an attack attempt, the interruption will cause incomplete session information for auto-learning.

Block Period

Type the number of seconds that you want to block subsequent requests from the client after the FortiWeb appliance detects that the client has violated the rule.

This setting is available only if Action is set to Period Block. The valid range is from 1 to 10,000 (2.78 hours). The default value is 0. See also Monitoring currently blocked IPs.

Severity

When rule violations are recorded in the attack log, each log message contains a Severity Level (severity_level) field. Select which severity level the FortiWeb appliance will use when it logs a violation of the rule:

  • Low
  • Medium
  • High

The default value is High.

Trigger Policy Select which trigger, if any, that the FortiWeb appliance will use when it logs and/or sends an alert email about a violation of the rule. See Viewing log messages.

5.  Click OK.

6.  Group the rule in a DoS protection policy (see Grouping DoS protection rules) that is used by a protection profile.

7.  Enable the Session Management option in the protection profile.

Attack log messages contain DoS Attack: HTTP Access Limit Violation when this feature detects a multi-URL HTTP flood. See also Log rate limits.

Example: HTTP request rate limit per IP

If you set 10 per second for both the shared and standalone limit, here are two scenarios:

Limiting TCP connections per IP address by session cookie

You can limit the number of TCP connections per HTTP session. This can prevent TCP connection floods from clients operating behind a shared IP with innocent clients.

Excessive numbers of TCP connections per session can occur if a web application or client is malfunctioning, or if an attacker is attempting to waste socket resources to produce a DoS.

This feature is similar to DoS Protection > Network > TCP Flood Prevention. However, this feature counts TCP connections per session cookie, while TCP Flood Prevention counts only TCP connections per IP address. Because it uses session cookies at the application layer instead of only TCP/IP connections at the network layer, this feature can differentiate multiple clients that may be behind the same source IP address, such as when the source IP address hides a subnet that uses network address translation (NAT). However, in order to work, the client must support cookies.

If the count exceeds the limit, the FortiWeb appliance executes the Action.

This scan is bypassed if the client’s source IP is a known search engine and you have enabled Allow Known Search Engines.
To configure a TCP connection limit per session

1.  Go to DoS Protection > Application > Malicious IPs.

To access this part of the web UI, your administrator’s account access profile must have Read and Write permission to items in the Web Protection Configuration category. For details, see Permissions.

2.  Click Create New.

A dialog appears.

3.  Configure these settings:

Setting name Description
Name Type a unique name that can be referenced in other parts of the configuration. Do not use spaces or special characters. The maximum length is 35 characters.
TCP Connection Number Limit

Type the maximum number of TCP connections allowed with a single HTTP client.

The valid range is from 1 to 1,024. The default is 1. Fortinet suggests an initial value of 100. See also Reducing false positives.

Action

Select which action the FortiWeb appliance will take when it detects a violation of the rule:

  • AlertAccept the request and generate an alert email and/or log message.
  • Alert & DenyBlock the request (or reset the connection) and generate an alert email and/or log message.

    You can customize the web page that FortiWeb returns to the client with the HTTP status code. See Customizing error and authentication pages (replacement messages).

  • Period Block Block subsequent requests from the client for a number of seconds. Also configure Block Period.

    You can customize the web page that FortiWeb returns to the client with the HTTP status code. See Customizing error and authentication pages (replacement messages).

    Tip: For improved performance during a confirmed DDoS, select this option. Attackers participating in the DoS will then be blocked at the IP layer, conserving FortiWeb resources that would otherwise be consumed by scanning each attacker’s request at the HTTP layer, compounding the effects of the DDoS.

    Note: If FortiWeb is deployed behind a NAT load balancer, when using this option, you must also define an X-header that indicates the original client’s IP (see Defining your proxies, clients, & X-headers). Failure to do so may cause FortiWeb to block all connections when it detects a violation of this type.

The default value is Alert.

Caution: This setting will be ignored if Monitor Mode is enabled.

Note: Because the new active appliance does not know previous session history, after an HA failover, for existing sessions, FortiWeb will not be able to enforce actions for this feature. See Sessions & FortiWeb HA.

Note: Logging and/or alert email will occur only if enabled and configured. See Logging and Alert email.

Note: If you will use this rule set with auto-learning, you should select Alert. If Action is Alert & Deny, or any other option that causes the FortiWeb appliance to terminate or modify the request or reply when it detects an attack attempt, the interruption will cause incomplete session information for auto-learning.

Block Period

Type the number of seconds that you want to block subsequent requests from the client after the FortiWeb appliance detects that the client has violated the rule.

This setting is available only if Action is set to Period Block. The valid range is from 1 to 10,000 (2.78 hours). The default value is 0. See also Monitoring currently blocked IPs.

Severity

When rule violations are recorded in the attack log, each log message contains a Severity Level (severity_level) field. Select which severity level the FortiWeb appliance will use when it logs a violation of the rule:

  • Low
  • Medium
  • High

The default value is High.

Trigger Policy Select which trigger, if any, that the FortiWeb appliance will use when it logs and/or sends an alert email about a violation of the rule. See Viewing log messages.

4.  Click OK.

5.  Group the rule in a DoS protection policy (see Grouping DoS protection rules) that is used by a protection profile.

6.  Enable the Session Management option in the protection profile.

Attack log messages contain DoS Attack: Malicious IPs Violation when this feature detects a TCP flood with the same HTTP session cookie. See also Log rate limits.

Example: TCP connection per session limit

If you set 10 as the connection limit, here are two scenarios:

See also

Preventing an HTTP request flood

You can limit the number of HTTP requests per second, per session, per URL. This effectively prevents HTTP request floods that utilize a single URL.

Because this feature uses session cookies at the application layer instead of only TCP/IP connections at the network layer, this feature can differentiate multiple clients that may be behind the same source IP address, such as when the source IP address hides a subnet that uses network address translation (NAT). However, the client must support cookies.

This feature is similar to DoS Protection > Application > HTTP Access Limit. However, rather than preventing many requests to any URL by the same client, it prevents many requests to the same URL by the same client.

If the rate exceeds the limit, the FortiWeb appliance executes the Action.

This scan is bypassed if the client’s source IP is a known search engine and you have enabled Allow Known Search Engines.
To configure HTTP flood prevention

1.  Go to DoS Protection > Application > HTTP Flood Prevention.

To access this part of the web UI, your administrator’s account access profile must have Read and Write permission to items in the Web Protection Configuration category. For details, see Permissions.

2.  Click Create New.

A dialog appears.

3.  Configure these settings:

Setting name Description
Name Type a unique name that can be referenced in other parts of the configuration. Do not use spaces or special characters. The maximum length is 35 characters.
HTTP Request Limit/sec

Type the maximum rate of requests per second allowed from a single HTTP client.

The valid range is from 0 to 4,096. The default is 0. Fortinet suggests an initial value of 500. See also Reducing false positives.

Real Browser Enforcement

If you want to return a JavaScript to the client to test whether it is a web browser or automated tool when it exceeds the rate limit, enable this option. If either the client fails the test, or if it does not return results before the Validation Timeout, FortiWeb will apply the Action. If the client appears to be a web browser, FortiWeb will allow the client to exceed the action. See also Bot analysis.

Disable this option to apply the rate limit regardless of whether the client is a web browser such as Firefox or an automated tool such as wget.

Validation Timeout Enter the maximum amount of time that FortiWeb will wait for results from the client for Real Browser Enforcement.
Action

Select which action the FortiWeb appliance will take when it detects a violation of the rule:

  • AlertAccept the request and generate an alert email and/or log message.
  • Alert & DenyBlock the request (or reset the connection) and generate an alert email and/or log message.

    You can customize the web page that FortiWeb returns to the client with the HTTP status code. See Customizing error and authentication pages (replacement messages).

  • Period Block Block subsequent requests from the client for a number of seconds. Also configure Block Period.

    You can customize the web page that FortiWeb returns to the client with the HTTP status code. See Customizing error and authentication pages (replacement messages).

    Tip: For improved performance during a confirmed DDoS, select this option. Attackers participating in the DoS will then be blocked at the IP layer, conserving FortiWeb resources that would otherwise be consumed by scanning each attacker’s request at the HTTP layer, compounding the effects of the DDoS.

    Note: If FortiWeb is deployed behind a NAT load balancer, when using this option, you must also define an X-header that indicates the original client’s IP (see Defining your proxies, clients, & X-headers). Failure to do so may cause FortiWeb to block all connections when it detects a violation of this type.

The default value is Alert.

Caution: This setting will be ignored if Monitor Mode is enabled.

Note: Because the new active appliance does not know previous session history, after an HA failover, for existing sessions, FortiWeb will not be able to enforce actions for this feature. See Sessions & FortiWeb HA.

Note: Logging and/or alert email will occur only if enabled and configured. See Logging and Alert email.

Note: If you will use this rule set with auto-learning, you should select Alert. If Action is Alert & Deny, or any other option that causes the FortiWeb appliance to terminate or modify the request or reply when it detects an attack attempt, the interruption will cause incomplete session information for auto-learning.

Block Period

Type the number of seconds that you want to block subsequent requests from the client after the FortiWeb appliance detects that the client has violated the rule.

This setting is available only if Action is set to Period Block. The valid range is from 1 to 10,000 (2.78 hours). The default value is 0. See also Monitoring currently blocked IPs.

Severity

When rule violations are recorded in the attack log, each log message contains a Severity Level (severity_level) field. Select which severity level the FortiWeb appliance will use when it logs a violation of the rule:

  • Low
  • Medium
  • High

The default value is High.

Trigger Policy Select which trigger, if any, that the FortiWeb appliance will use when it logs and/or sends an alert email about a violation of the rule. See Viewing log messages.

4.  Click OK.

5.  Group the rule in a DoS protection policy (see Grouping DoS protection rules).

6.  Select the DoS protection policy in a protection profile (see Configuring a protection profile for inline topologies).

7.  Enable the Session Management option in the protection profile.

Attack log messages contain DoS Attack: HTTP Flood Prevention Violation when this feature detects an HTTP flood.

Example: HTTP request flood prevention

Assuming you set 10 as the limit, here are three scenarios:

Configuring network-layer DoS protection

You configure DoS protection at the network layer using the DoS Protection > Network submenu and server policies.

Limiting TCP connections per IP address

You can limit the number of fully-formed TCP connections per source IP address. This effectively prevents TCP flood-style denial-of-service (DoS) attacks.

TCP flood attacks exploit the fact that servers must consume memory to maintain the state of the open connection until either the timeout, or the client or server closes the connection. This consumes some memory even if the client is not currently sending any HTTP requests.

Normally, a legitimate client will form a single TCP connection, through which they may make several HTTP requests. As a result, each client consumes a negligible amount of memory to track the state of the TCP connection. However, an attacker will open many connections with perhaps zero or one request each, until the server is exhausted and has no memory left to track the TCP states of new connections with legitimate clients.

This feature is similar to DoS Protection > Application > Malicious IPs. However, this feature counts TCP connections per IP, while Malicious IPs counts TCP connections per session cookie.

It is also similar to the Syn Cookie setting in a server policy. However, this feature counts fully-formed TCP connections, while Syn Cookie counts partially-formed TCP connections.

FortiWeb counts the TCP connections. If a source IP address exceeds the limit, FortiWeb executes the Action for that client.

To configure a TCP connection flood limit

1.  Go to DoS Protection > Network > TCP Flood Prevention.

To access this part of the web UI, your administrator’s account access profile must have Read and Write permission to items in the Web Protection Configuration category. For details, see Permissions.

2.  Click Create New.

A dialog appears.

3.  Configure these settings:

Setting name Description
Name Type a unique name that can be referenced in other parts of the configuration. Do not use spaces or special characters. The maximum length is 35 characters.
TCP Connection Number Limit

Type the maximum number of TCP connections allowed with a single source IP address.

The valid range is from 0 to 65,535. The default is 0.

Action

Select which action the FortiWeb appliance will take when it detects a violation of the rule:

  • AlertAccept the request and generate an alert email and/or log message.
  • Alert & DenyBlock the request (or reset the connection) and generate an alert email and/or log message.

    You can customize the web page that FortiWeb returns to the client with the HTTP status code. See Customizing error and authentication pages (replacement messages).

  • Period Block Block subsequent requests from the client for a number of seconds. Also configure Block Period.

    You can customize the web page that FortiWeb returns to the client with the HTTP status code. See Customizing error and authentication pages (replacement messages).

    Tip: For improved performance during a confirmed DDoS, select this option. Attackers participating in the DoS will then be blocked at the IP layer, conserving FortiWeb resources that would otherwise be consumed by scanning each attacker’s request at the HTTP layer, compounding the effects of the DDoS.

The default value is Alert.

Caution: This setting will be ignored if Monitor Mode is enabled.

Note: Logging and/or alert email will occur only if enabled and configured. See Logging and Alert email.

Note: If you will use this rule set with auto-learning, you should select Alert. If Action is Alert & Deny, or any other option that causes the FortiWeb appliance to terminate or modify the request or reply when it detects an attack attempt, the interruption will cause incomplete session information for auto-learning.

Block Period

Type the number of seconds that you want to block subsequent requests from the client after the FortiWeb appliance detects that the client has violated the rule.

This setting is available only if Action is set to Period Block. The valid range is from 1 to 3,600 (1 hour). The default value is 0. See also Monitoring currently blocked IPs.

Severity

When rule violations are recorded in the attack log, each log message contains a Severity Level (severity_level) field. Select which severity level the FortiWeb appliance will use when it logs a violation of the rule:

  • Low
  • Medium
  • High

The default value is Medium.

Trigger Action Select which trigger, if any, that the FortiWeb appliance will use when it logs and/or sends an alert email about a violation of the rule. See Viewing log messages.

4.  Click OK.

5.  Group the rule in a DoS protection policy (see Grouping DoS protection rules) that is used by a protection profile.

Attack log messages contain DoS Attack: TCP Flood Prevention Violation when this feature detects a TCP connection flood. See also Log rate limits.

Example: TCP flood prevention

Assume you set 10 as the limit. A client opens 15 TCP connections. Each connection has a different source port. The FortiWeb appliance counts all connections as part of the same source IP and blocks the connections because they exceed the limit.

See also

Preventing a TCP SYN flood

You can configure protection from TCP SYN flood-style denial of service (DoS) attacks.

TCP SYN floods attempt to exploit the state mechanism of TCP. At the point where a client has only sent a SYN signal, a connection has been initiated and therefore consumes server memory to remember the state of the half-open connection. However, because the connection is not yet fully formed, packets are not required to contain any actual application layer payload such as HTTP. Therefore, application-layer scans cannot block the connection. Scans that only count fully-formed socket connections (where the client’s SYN has been replied to by a SYN ACK from the server, and the client has confirmed connection establishment with an ACK) cannot block it either.

Normally, a legitimate client quickly completes the connection build-up and tear-down. However, an attacker initiates many connections without completing them until the server is exhausted and has no memory left to track the TCP connection state for legitimate clients.

To prevent this, FortiWeb can use a “SYN cookie” — a small piece of memory that keeps a timeout for half-open connections. This mechanism prevents half-open connections from accumulating to the point of socket exhaustion.

This feature is similar to DoS Protection > Network > TCP Flood Prevention. However, this feature counts partially-formed TCP connections, while TCP Flood Prevention counts fully-formed TCP connections.

TCP SYN flood protection is available only when the operating mode is reverse proxy or true transparent proxy. To enable the feature, you configure the Syn Cookie and Half Open Threshold options in the appropriate server policy.

Grouping DoS protection rules

Before you can apply them in a server policy via a protection profile, you must first group DoS prevention rules. (You enable TCP SYN flood protection in the appropriate server policy.)

To configure a DoS protection policy

1.  Before you can configure a DoS protection policy, you must first configure the rules that you want to include:

2.  Go to DoS Protection > DoS Protection Policy.

To access this part of the web UI, your administrator’s account access profile must have Read and Write permission to items in the Web Protection Configuration category. For details, see Permissions.

3.  Click Create New.

A dialog appears.

4.  In Name, type a unique name that can be referenced by other parts of the configuration. Do not use spaces or special characters. The maximum length is 35 characters.

5.  If you want to apply features that use session cookies, enable HTTP Session Based Prevention.

6.  If you want to restrict traffic based upon request or connection counts, enable HTTP Network Based Prevention.

7.  Click OK.

8.  To apply the policy, select the DoS protection policy in an inline protection profile (see Configuring a protection profile for inline topologies).

9.  If you have configured DoS protection features that use session cookies, also enable the Session Management option in the protection profile.

See also