Fortinet white logo
Fortinet white logo

Handbook

A typical workflow for investigating FortiDDoS attack events

A typical workflow for investigating FortiDDoS attack events

Whenever there is an attack, you should investigate until you fully understand why packets were dropped, and you know whether the attack event is a false positive.

A typical FortiDDoS attack investigation includes the following steps:

  1. Identify the destination and source.
  2. Identify the type of attack.
  3. Identify the attack size.
  4. Analyze Layer 3, Layer 4, and Layer 7 parameters to understand the attack method.

Step 1: Identifying the destination and source

Most of the statistics graphs identify the SPP and the direction of the attack, so, if there is only one subnet in the attacked SPP, you can easily determine the attack destination.

If the SPP contains more than one subnet, you can use the following reports to determine the attack destinations and sources:

  • Top Attacks dashboard
  • Log & Report > Log Access > Logs > DDoS Attack Log

Note: DDoS attacks are often spoofed attacks. Source information is not provided as it is irrelevant.

Step 2: Identifying the type of attack

If the SPP contains more than one subnet, you can use the following reports to determine the attack type:

Top Attacks dashboard

Dashboard > Status > Attack Logs

FortiView > SPP > {SPP Rule} > Attacks tab

Log & Report > Log Access > Logs > DDoS Attack Log

The following table describes DDoS attack types and identifies the FortiDDoS events to look for.

Types of attacks

Attack

Description

Threshold to configure/adjust

Events to watch

SYN Attack

A spike in packets on a specific TCP port. In most cases, the source address is spoofed.

Layer 3 - TCP protocol (6)

Layer 4 - TCP ports on which the server is listening

Layer 4 - SYN

Layer 4 - New connections

Protocol 6 Flood

SYN Flood

Zombie Flood

TCP Port Flood

Source Flood

A single source sends excessive number of IP Packets

Layer 3 – Most Active Source

Source Flood

Zombie Attack

A spike in TCP packets from Legitimate IP addresses

Layer 3 – TCP protocol (6)

Layer 4 – TCP ports on which the server is listening

Layer 4 – SYN

Layer 4 - SYN per source (syn-per-src)

Layer 4 - New connections

Layer 3 Protocol 6

SYN Flood

Zombie Flood

Port Flood

SYN Flood from Source

Fragment Flood

Excessive number of fragmented packets

Layer 3 – Other Protocols Fragment

Layer3 – TCP Fragment

Layer 3 – UDP Fragment

Other Protocols Fragment Flood

TCP Fragment Flood

UDP Fragment Flood

Protocol Flood

ICMP Flood

An Excessive number of ICMP Packets

Layer 3 – ICMP protocol (1)

Layer 4 – ICMP type and code

Protocol 1 Flood

Layer 4 ICMP Flood of a specific type and code

Smurf Attack

Traffic that appears to originate from the target server’s own IP address or somewhere on its network. Targeted correctly, it can flood the network with pings and multiple responses.

Layer 3 – ICMP protocol (1)

Layer 4 – ICMP type and code combinations that are allowed by the firewall and ACL

Protocol 1 Flood

ICMP Flood of Echo-Request/Response Type (Type= 0, Code = 0)

MyDoom Attack

Excessive number of HTTP packets zombies

Layer 3 – TCP protocol (6)

Layer 4 – TCP port 80

Layer 4 – SYN

Layer 4 – New connections

Protocol 6 Flood

SYN Flood

Zombie Flood

TCP Port Flood

HTTP GET Attack

Excessive number of HTTP GET Method packets

Layer 3 – TCP protocol (6)

Layer 4 – TCP ports on which the server is listening

Layer 4 – SYN

Layer 4 – New connections

Layer 4 – Concurrent connections per source

Layer 7 – HTTP Methods

Layer 7 – URL

Protocol 6 Flood

SYN Flood

TCP Zombie Flood

TCP Port Flood

Concurrent Connections per Source Flood

HTTP Method Flood

URL Flood

Slow Connection Attack

Legitimate IP sources send legitimate TCP connections but do it slowly and remain idle, which fills up the server’s connection table memory.

Layer 3 – TCP protocol (6)

Layer 4 – TCP ports on which the server is listening

Layer 4 – SYN

Layer 4 – New connections

Layer 4 - Concurrent connections per source

Protocol 6 Flood

SYN Flood

Zombie Flood

TCP Port Flood

Concurrent Connections per Source

UDP Flood Attack

An excessive number of UDP packets.

Layer 3 – UDP protocol (17)

Layer 4 – UDP ports on which the server is listening

Protocol 17 Flood

UDP Port Flood

Slammer Attack

An excessive number of packets on UDP port 1434

Layer 3 – UDP protocol (17)

Layer 4 – UDP ports 1434

Protocol 17 Flood

UDP Port 1434 Flood

Fraggle Attack

Spoofed UDP packets to a list of broadcast addresses. Usually the packets are directed to port 7 on the target machines, which is the echo port. Other times, it is directed to the CHARGEN port. Sometimes a hacker is able to set up a loop between the echo and CHARGEN port.

Layer 3 – ICMP protocol (1)

Layer 3 – UDP protocol (17)

Layer 4 – UDP echo port (7)

Layer 4 – Daytime Protocol port (13)

Layer 4 – Quote of the Day (QOTD) port (17)

Layer 4 – UDP Character Generator protocol (CHARGEN) (19)

Layer 4 – ICMP Type/Codes specific to host/port not available

Protocol 1 Flood

Protocol 17 Flood

UDP Port 7 Flood

UDP Port 13 Flood

UDP Port 17 Flood

UDP Port 19 Flood

ICMP Flood of Port Not Available Type, Code (3,3)

ICMP Flood of Host Not Available Type, Code (3,1)

DNS Port Flood

An excessive number of packets on UDP port 53

Layer 3 - UDP protocol (17)

Layer 4 - UDP port 53

Protocol 17 UDP Flood

UDP Port 53 Flood

DNS Query Flood

A spike in DNS queries and occurrences of query data.

Layer 7 - DNS query-related thresholds

DNS Query Flood

Step 3: Identify the attack size

You can use the Monitor graphs and Attack Logs to analyze the dimensions of the attack: increases in throughput and drops.

Step 4: Analyze attack parameters in each OSI layer

You can use the DDoS Attack log or the Monitor graphs to analyze aggregate throughput and drops due to Layer 3, Layer 4, and Layer 7 FortiDDoS rate thresholds or ACL rules.

  1. For Drop Monitor Graphs, start using the following graphs to identify the layer at which the attack is happening:
  • Aggregate Flood Drops
  • Aggregate ACL Drops
  • Aggregate Anomaly Drops
  • Out of Memory Drops
  • Drill down further by accessing statistics specific to each layer and attack type.
  • A typical workflow for investigating FortiDDoS attack events

    A typical workflow for investigating FortiDDoS attack events

    Whenever there is an attack, you should investigate until you fully understand why packets were dropped, and you know whether the attack event is a false positive.

    A typical FortiDDoS attack investigation includes the following steps:

    1. Identify the destination and source.
    2. Identify the type of attack.
    3. Identify the attack size.
    4. Analyze Layer 3, Layer 4, and Layer 7 parameters to understand the attack method.

    Step 1: Identifying the destination and source

    Most of the statistics graphs identify the SPP and the direction of the attack, so, if there is only one subnet in the attacked SPP, you can easily determine the attack destination.

    If the SPP contains more than one subnet, you can use the following reports to determine the attack destinations and sources:

    • Top Attacks dashboard
    • Log & Report > Log Access > Logs > DDoS Attack Log

    Note: DDoS attacks are often spoofed attacks. Source information is not provided as it is irrelevant.

    Step 2: Identifying the type of attack

    If the SPP contains more than one subnet, you can use the following reports to determine the attack type:

    Top Attacks dashboard

    Dashboard > Status > Attack Logs

    FortiView > SPP > {SPP Rule} > Attacks tab

    Log & Report > Log Access > Logs > DDoS Attack Log

    The following table describes DDoS attack types and identifies the FortiDDoS events to look for.

    Types of attacks

    Attack

    Description

    Threshold to configure/adjust

    Events to watch

    SYN Attack

    A spike in packets on a specific TCP port. In most cases, the source address is spoofed.

    Layer 3 - TCP protocol (6)

    Layer 4 - TCP ports on which the server is listening

    Layer 4 - SYN

    Layer 4 - New connections

    Protocol 6 Flood

    SYN Flood

    Zombie Flood

    TCP Port Flood

    Source Flood

    A single source sends excessive number of IP Packets

    Layer 3 – Most Active Source

    Source Flood

    Zombie Attack

    A spike in TCP packets from Legitimate IP addresses

    Layer 3 – TCP protocol (6)

    Layer 4 – TCP ports on which the server is listening

    Layer 4 – SYN

    Layer 4 - SYN per source (syn-per-src)

    Layer 4 - New connections

    Layer 3 Protocol 6

    SYN Flood

    Zombie Flood

    Port Flood

    SYN Flood from Source

    Fragment Flood

    Excessive number of fragmented packets

    Layer 3 – Other Protocols Fragment

    Layer3 – TCP Fragment

    Layer 3 – UDP Fragment

    Other Protocols Fragment Flood

    TCP Fragment Flood

    UDP Fragment Flood

    Protocol Flood

    ICMP Flood

    An Excessive number of ICMP Packets

    Layer 3 – ICMP protocol (1)

    Layer 4 – ICMP type and code

    Protocol 1 Flood

    Layer 4 ICMP Flood of a specific type and code

    Smurf Attack

    Traffic that appears to originate from the target server’s own IP address or somewhere on its network. Targeted correctly, it can flood the network with pings and multiple responses.

    Layer 3 – ICMP protocol (1)

    Layer 4 – ICMP type and code combinations that are allowed by the firewall and ACL

    Protocol 1 Flood

    ICMP Flood of Echo-Request/Response Type (Type= 0, Code = 0)

    MyDoom Attack

    Excessive number of HTTP packets zombies

    Layer 3 – TCP protocol (6)

    Layer 4 – TCP port 80

    Layer 4 – SYN

    Layer 4 – New connections

    Protocol 6 Flood

    SYN Flood

    Zombie Flood

    TCP Port Flood

    HTTP GET Attack

    Excessive number of HTTP GET Method packets

    Layer 3 – TCP protocol (6)

    Layer 4 – TCP ports on which the server is listening

    Layer 4 – SYN

    Layer 4 – New connections

    Layer 4 – Concurrent connections per source

    Layer 7 – HTTP Methods

    Layer 7 – URL

    Protocol 6 Flood

    SYN Flood

    TCP Zombie Flood

    TCP Port Flood

    Concurrent Connections per Source Flood

    HTTP Method Flood

    URL Flood

    Slow Connection Attack

    Legitimate IP sources send legitimate TCP connections but do it slowly and remain idle, which fills up the server’s connection table memory.

    Layer 3 – TCP protocol (6)

    Layer 4 – TCP ports on which the server is listening

    Layer 4 – SYN

    Layer 4 – New connections

    Layer 4 - Concurrent connections per source

    Protocol 6 Flood

    SYN Flood

    Zombie Flood

    TCP Port Flood

    Concurrent Connections per Source

    UDP Flood Attack

    An excessive number of UDP packets.

    Layer 3 – UDP protocol (17)

    Layer 4 – UDP ports on which the server is listening

    Protocol 17 Flood

    UDP Port Flood

    Slammer Attack

    An excessive number of packets on UDP port 1434

    Layer 3 – UDP protocol (17)

    Layer 4 – UDP ports 1434

    Protocol 17 Flood

    UDP Port 1434 Flood

    Fraggle Attack

    Spoofed UDP packets to a list of broadcast addresses. Usually the packets are directed to port 7 on the target machines, which is the echo port. Other times, it is directed to the CHARGEN port. Sometimes a hacker is able to set up a loop between the echo and CHARGEN port.

    Layer 3 – ICMP protocol (1)

    Layer 3 – UDP protocol (17)

    Layer 4 – UDP echo port (7)

    Layer 4 – Daytime Protocol port (13)

    Layer 4 – Quote of the Day (QOTD) port (17)

    Layer 4 – UDP Character Generator protocol (CHARGEN) (19)

    Layer 4 – ICMP Type/Codes specific to host/port not available

    Protocol 1 Flood

    Protocol 17 Flood

    UDP Port 7 Flood

    UDP Port 13 Flood

    UDP Port 17 Flood

    UDP Port 19 Flood

    ICMP Flood of Port Not Available Type, Code (3,3)

    ICMP Flood of Host Not Available Type, Code (3,1)

    DNS Port Flood

    An excessive number of packets on UDP port 53

    Layer 3 - UDP protocol (17)

    Layer 4 - UDP port 53

    Protocol 17 UDP Flood

    UDP Port 53 Flood

    DNS Query Flood

    A spike in DNS queries and occurrences of query data.

    Layer 7 - DNS query-related thresholds

    DNS Query Flood

    Step 3: Identify the attack size

    You can use the Monitor graphs and Attack Logs to analyze the dimensions of the attack: increases in throughput and drops.

    Step 4: Analyze attack parameters in each OSI layer

    You can use the DDoS Attack log or the Monitor graphs to analyze aggregate throughput and drops due to Layer 3, Layer 4, and Layer 7 FortiDDoS rate thresholds or ACL rules.

    1. For Drop Monitor Graphs, start using the following graphs to identify the layer at which the attack is happening:
    • Aggregate Flood Drops
    • Aggregate ACL Drops
    • Aggregate Anomaly Drops
    • Out of Memory Drops
  • Drill down further by accessing statistics specific to each layer and attack type.