A typical workflow for investigating FortiDDoS attack events
Whenever there is an attack, you should investigate until you fully understand why packets were dropped, and you know whether the attack event is a false positive.
A typical FortiDDoS attack investigation includes the following steps:
- Identify the destination and source.
- Identify the type of attack.
- Identify the attack size.
- Analyze Layer 3, Layer 4, and Layer 7 parameters to understand the attack method.
Step 1: Identifying the destination and source
Most of the statistics graphs identify the SPP and the direction of the attack, so, if there is only one subnet in the attacked SPP, you can easily determine the attack destination.
If the SPP contains more than one subnet, you can use the following reports to determine the attack destinations and sources:
- Top Attacks dashboard
- Log & Report > Log Access > Logs > DDoS Attack Log
Note: DDoS attacks are often spoofed attacks. Source information is not provided as it is irrelevant.
Step 2: Identifying the type of attack
If the SPP contains more than one subnet, you can use the following reports to determine the attack type:
• Top Attacks dashboard
• Dashboard > Status > Attack Logs
• FortiView > SPP > {SPP Rule} > Attacks tab
• Log & Report > Log Access > Logs > DDoS Attack Log
The following table describes DDoS attack types and identifies the FortiDDoS events to look for.
|
Attack |
Description |
Threshold to configure/adjust |
Events to watch |
|---|---|---|---|
|
SYN Attack |
A spike in packets on a specific TCP port. In most cases, the source address is spoofed. |
Layer 3 - TCP protocol (6) Layer 4 - TCP ports on which the server is listening Layer 4 - SYN Layer 4 - New connections |
Protocol 6 Flood SYN Flood Zombie Flood TCP Port Flood |
|
Source Flood |
A single source sends excessive number of IP Packets |
Layer 3 – Most Active Source |
Source Flood |
|
Zombie Attack |
A spike in TCP packets from Legitimate IP addresses |
Layer 3 – TCP protocol (6) Layer 4 – TCP ports on which the server is listening Layer 4 – SYN Layer 4 - SYN per source (syn-per-src) Layer 4 - New connections |
Layer 3 Protocol 6 SYN Flood Zombie Flood Port Flood SYN Flood from Source |
|
Fragment Flood |
Excessive number of fragmented packets |
Layer 3 – Other Protocols Fragment Layer3 – TCP Fragment Layer 3 – UDP Fragment |
Other Protocols Fragment Flood TCP Fragment Flood UDP Fragment Flood Protocol Flood |
|
ICMP Flood |
An Excessive number of ICMP Packets |
Layer 3 – ICMP protocol (1) Layer 4 – ICMP type and code |
Protocol 1 Flood
Layer 4 ICMP Flood of a specific type and code |
|
Smurf Attack |
Traffic that appears to originate from the target server’s own IP address or somewhere on its network. Targeted correctly, it can flood the network with pings and multiple responses. |
Layer 3 – ICMP protocol (1) Layer 4 – ICMP type and code combinations that are allowed by the firewall and ACL |
Protocol 1 Flood ICMP Flood of Echo-Request/Response Type (Type= 0, Code = 0) |
|
MyDoom Attack |
Excessive number of HTTP packets zombies |
Layer 3 – TCP protocol (6) Layer 4 – TCP port 80 Layer 4 – SYN Layer 4 – New connections |
Protocol 6 Flood SYN Flood Zombie Flood TCP Port Flood |
|
HTTP GET Attack |
Excessive number of HTTP GET Method packets |
Layer 3 – TCP protocol (6) Layer 4 – TCP ports on which the server is listening Layer 4 – SYN Layer 4 – New connections Layer 4 – Concurrent connections per source Layer 7 – HTTP Methods Layer 7 – URL |
Protocol 6 Flood SYN Flood TCP Zombie Flood TCP Port Flood Concurrent Connections per Source Flood HTTP Method Flood URL Flood |
|
Slow Connection Attack |
Legitimate IP sources send legitimate TCP connections but do it slowly and remain idle, which fills up the server’s connection table memory. |
Layer 3 – TCP protocol (6) Layer 4 – TCP ports on which the server is listening Layer 4 – SYN Layer 4 – New connections Layer 4 - Concurrent connections per source |
Protocol 6 Flood SYN Flood Zombie Flood TCP Port Flood Concurrent Connections per Source |
|
UDP Flood Attack |
An excessive number of UDP packets. |
Layer 3 – UDP protocol (17) Layer 4 – UDP ports on which the server is listening |
Protocol 17 Flood UDP Port Flood |
|
Slammer Attack |
An excessive number of packets on UDP port 1434 |
Layer 3 – UDP protocol (17) Layer 4 – UDP ports 1434 |
Protocol 17 Flood UDP Port 1434 Flood |
|
Fraggle Attack |
Spoofed UDP packets to a list of broadcast addresses. Usually the packets are directed to port 7 on the target machines, which is the echo port. Other times, it is directed to the CHARGEN port. Sometimes a hacker is able to set up a loop between the echo and CHARGEN port. |
Layer 3 – ICMP protocol (1) Layer 3 – UDP protocol (17) Layer 4 – UDP echo port (7) Layer 4 – Daytime Protocol port (13) Layer 4 – Quote of the Day (QOTD) port (17) Layer 4 – UDP Character Generator protocol (CHARGEN) (19) Layer 4 – ICMP Type/Codes specific to host/port not available |
Protocol 1 Flood Protocol 17 Flood UDP Port 7 Flood UDP Port 13 Flood UDP Port 17 Flood UDP Port 19 Flood ICMP Flood of Port Not Available Type, Code (3,3) ICMP Flood of Host Not Available Type, Code (3,1) |
|
DNS Port Flood |
An excessive number of packets on UDP port 53 |
Layer 3 - UDP protocol (17) Layer 4 - UDP port 53 |
Protocol 17 UDP Flood UDP Port 53 Flood |
|
DNS Query Flood |
A spike in DNS queries and occurrences of query data. |
Layer 7 - DNS query-related thresholds |
DNS Query Flood |
Step 3: Identify the attack size
You can use the Monitor graphs and Attack Logs to analyze the dimensions of the attack: increases in throughput and drops.
Step 4: Analyze attack parameters in each OSI layer
You can use the DDoS Attack log or the Monitor graphs to analyze aggregate throughput and drops due to Layer 3, Layer 4, and Layer 7 FortiDDoS rate thresholds or ACL rules.
- For Drop Monitor Graphs, start using the following graphs to identify the layer at which the attack is happening:
- Aggregate Flood Drops
- Aggregate ACL Drops
- Aggregate Anomaly Drops
- Out of Memory Drops