Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • Handbook

    Home FortiADC 7.4.2 Handbook
    7.4.2
    7.4.5
    7.4.4
    7.4.3
    7.4.2
    7.4.1
    7.4.0
    7.2.7
    7.2.6
    7.2.5
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.1.4
    7.1.3
    7.1.2
    7.1.1
    7.1.0
    7.0.5
    7.0.4
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    6.2.6
    6.2.5
    6.2.4
    6.2.3
    6.2.2
    6.2.1
    6.2.0
    6.1.6
    6.1.5
    6.1.4
    6.1.3
    6.1.2
    6.1.1
    6.1.0
    6.0.1
    6.0.0
    5.4.3
    5.4.2
    5.4.1
    5.4.0
    5.3.6
    5.3.5
    5.3.4
    5.3.3
    5.3.2
    5.3.1
    5.3.0
    5.2.7

    Configuring a DNS Reverse Flood Protection policy

    Configuring a DNS Reverse Flood Protection policy

    The DNS Reverse Flood Protection policy can limit the number of ANY type DNS requests per second to mitigate against DNS reverse flood attacks.

    A DNS reverse flood is a type of DDoS attack that uses high volumes of DNS responses to overwhelm network resources. When a small request has a disproportionately larger response, the outbound network pipe can easily become congested and disrupt traffic responses for legitimate requests and/or other applications. And since the transport protocol is UDP, these types of requests can be easily spoofed.
    One popular form of DNS reverse flood attack is DNS amplification attack. The Attacker sends out a DNS query with a forged IP address (the Victim's) to an open DNS resolver, prompting it to reply back to that address with a DNS response. With numerous fake queries being sent out, and with several DNS resolvers replying back simultaneously, the Victim's network can easily be overwhelmed by the high volume of DNS responses.

    Using the DNS Reverse Flood Protection policy, you can set a ANY Query Rate Limit to restrict the number of all types (ANY) of DNS queries that can be made per second. Once the query rate exceeds the limit, it will trigger a corresponding action (Pass or Deny).

    After you have configured a DNS Reverse Flood Protection policy, you can apply it in a DoS Protection Profile.

    To configure a DNS Reverse Flood Protection policy:
    1. Go to DoS Protection > Application.
    2. Click the DNS Reverse Flood Protection tab.
    3. Click Create New to display the configuration editor.

    4. Configure the following DNS Reverse Flood Protection settings:

      Setting

      Description

      NameSpecify a name for the DNS Reverse Flood Protection policy.
      Valid characters are A-Z, a-z, 0-9, _, and -. No spaces. The configuration name cannot be edited once it has been saved.
      Status

      Enable/disable the status of this DNS Reverse Flood Protection policy.

      ANY Query Rate Limit

      Specify the allowable number of DNS requests per second, with query type ANY. The range is 0 to 1048567. The default is 0, which means that no limit is placed on the number of DNS queries that can be made per second.

      Note:
      Multiple "rate limit" type of operations may be executed through various configurations, however, they cannot be executed all at once. Priority is given to certain rate limit operations. The following lists the execution sequence.

      1. Transaction Rate Limit (from the virtual server configuration).

      2. DNS Query Rate Limit (from DNS Query Flood Protection policy).

      3. ANY Query Rate Limit (from DNS Reverse Flood Protection policy).

      Action

      Select the corresponding action to take when the ANY Query Rate Limit is exceeded:

      • Pass — Allow the traffic.

      • Deny — Drop the traffic, send a 400 Bad request to the client.

      Deny is the default option.

      LogEnable/disable logging for the Action. This is disabled by default.
      Severity

      Select the event severity to log when the DNS Reverse Flood Protection policy is triggered:

      • High — Log as high severity events.
      • Medium — Log as a medium severity events.
      • Low — Log as low severity events.

      The default is High.

    5. Click Save.
      After the new DNS Reverse Flood Protection policy has been saved, it will appear in the DNS Reverse Flood Protection page. You can now apply this DNS Reverse Flood Protection policy to a DoS Protection Profile configuration.

    Statistical data of DNS Reverse Flood attacks are recorded in Security logs in detail (from FortiView and Log & Report), and in the Dashboard Security widget as event counts.

    Typically, Security logs provide the attack count as well, however, due to the speed at which DNS Reverse Flood attacks can occur (within milliseconds), the Security logs cannot accurately count each attack as the logs are counted every 1 second. This means that when a DNS Reverse Flood attack occurs, Security logs can only capture the attack details but not the accurate count of the number of packets that has exceeded the ANY Query Rate Limit.

    To view the correct count of each ANY Query Rate Limit excess event, you can reference the Security widget from the Dashboard that is a dedicated security event counter.
    Previous
    Next

    Configuring a DNS Reverse Flood Protection policy

    Configuring a DNS Reverse Flood Protection policy

    The DNS Reverse Flood Protection policy can limit the number of ANY type DNS requests per second to mitigate against DNS reverse flood attacks.

    A DNS reverse flood is a type of DDoS attack that uses high volumes of DNS responses to overwhelm network resources. When a small request has a disproportionately larger response, the outbound network pipe can easily become congested and disrupt traffic responses for legitimate requests and/or other applications. And since the transport protocol is UDP, these types of requests can be easily spoofed.
    One popular form of DNS reverse flood attack is DNS amplification attack. The Attacker sends out a DNS query with a forged IP address (the Victim's) to an open DNS resolver, prompting it to reply back to that address with a DNS response. With numerous fake queries being sent out, and with several DNS resolvers replying back simultaneously, the Victim's network can easily be overwhelmed by the high volume of DNS responses.

    Using the DNS Reverse Flood Protection policy, you can set a ANY Query Rate Limit to restrict the number of all types (ANY) of DNS queries that can be made per second. Once the query rate exceeds the limit, it will trigger a corresponding action (Pass or Deny).

    After you have configured a DNS Reverse Flood Protection policy, you can apply it in a DoS Protection Profile.

    To configure a DNS Reverse Flood Protection policy:
    1. Go to DoS Protection > Application.
    2. Click the DNS Reverse Flood Protection tab.
    3. Click Create New to display the configuration editor.

    4. Configure the following DNS Reverse Flood Protection settings:

      Setting

      Description

      NameSpecify a name for the DNS Reverse Flood Protection policy.
      Valid characters are A-Z, a-z, 0-9, _, and -. No spaces. The configuration name cannot be edited once it has been saved.
      Status

      Enable/disable the status of this DNS Reverse Flood Protection policy.

      ANY Query Rate Limit

      Specify the allowable number of DNS requests per second, with query type ANY. The range is 0 to 1048567. The default is 0, which means that no limit is placed on the number of DNS queries that can be made per second.

      Note:
      Multiple "rate limit" type of operations may be executed through various configurations, however, they cannot be executed all at once. Priority is given to certain rate limit operations. The following lists the execution sequence.

      1. Transaction Rate Limit (from the virtual server configuration).

      2. DNS Query Rate Limit (from DNS Query Flood Protection policy).

      3. ANY Query Rate Limit (from DNS Reverse Flood Protection policy).

      Action

      Select the corresponding action to take when the ANY Query Rate Limit is exceeded:

      • Pass — Allow the traffic.

      • Deny — Drop the traffic, send a 400 Bad request to the client.

      Deny is the default option.

      LogEnable/disable logging for the Action. This is disabled by default.
      Severity

      Select the event severity to log when the DNS Reverse Flood Protection policy is triggered:

      • High — Log as high severity events.
      • Medium — Log as a medium severity events.
      • Low — Log as low severity events.

      The default is High.

    5. Click Save.
      After the new DNS Reverse Flood Protection policy has been saved, it will appear in the DNS Reverse Flood Protection page. You can now apply this DNS Reverse Flood Protection policy to a DoS Protection Profile configuration.

    Statistical data of DNS Reverse Flood attacks are recorded in Security logs in detail (from FortiView and Log & Report), and in the Dashboard Security widget as event counts.

    Typically, Security logs provide the attack count as well, however, due to the speed at which DNS Reverse Flood attacks can occur (within milliseconds), the Security logs cannot accurately count each attack as the logs are counted every 1 second. This means that when a DNS Reverse Flood attack occurs, Security logs can only capture the attack details but not the accurate count of the number of packets that has exceeded the ANY Query Rate Limit.

    To view the correct count of each ANY Query Rate Limit excess event, you can reference the Security widget from the Dashboard that is a dedicated security event counter.
    Previous
    Next