Fortinet black logo

Handbook

Home FortiDDoS-F 6.3.2 Handbook

Working with the FortiDDoS attack log

6.3.2
7.0.0
6.6.3
6.6.3
6.6.1
6.6.0
6.5.1
6.5.0
6.4.1
6.4.0
6.3.3
6.3.2
6.3.1
6.2.3
6.2.2
6.2.1
6.2.0
6.1.1
Copy Link
Copy Doc ID 7b437c33-fcc7-11ec-bb32-fa163e15d75b:341038
Download PDF

Working with the FortiDDoS attack log

The monitoring and reporting framework is designed to maximize the processing resources that are available for preventing attacks, rather than forensics. In order to conserve resources to withstand multi-gigabyte attacks, the system records only data that it can use to improve security, not all possible Layer 3, Layer 4, and Layer 7 data. As a result, reporting tools such as the DDoS attack log do not always include detailed traffic parameter information. Outside of specific scenarios, the system does not report source and destination IP addresses and ports, protocols, and so on, for every dropped or blocked packet. They are reported when they are important to the attack log. For example all Source Flood logs will show the Source IP of the flood, even if it may be spoofed. However, since most DDoS attacks today use randomized source IP addresses or tens of thousands of reflecting servers, recording source IP addresses for other DDoS attacks has no value.

It is not uncommon for a FortiDDoS-F system that is monitoring a 1 Gbps traffic flow to be the target of a 700 Mbps SYN flood for 8 hours. If the system stored every source and destination IP address, port, and protocol, the logging demands (via hard disk, syslog, or SNMP trap) would soon overwhelm the disk or network.

By concentrating its resources on dropping attack traffic and maintaining service, FortiDDoS-F allows you to focus your attention elsewhere and still provide you with helpful and relevant information when an attack is underway.

There are two important types of logs:

  • The DDoS Top Attacks dashboard that provides summaries of all attacks for all SPPs and Global events for a given time period. For details, see Top Attacks.

  • The Attack Logs that provide "real time" drop information.

Attack Logs

There are 170 different Attack Log Types, many of which have "depth" such as the following types:

  • The HTTP Method Flood shows any of the eight HTTP Methods used in the attack.

  • The Possible UDP Reflection Flood shows which of a possible 10,000 UDP ports created the reflection (Source UDP Port).

  • The ICMP Type/Code Flood identifies which of 65,526 ICMP Type/Codes was used.

For Attack Log reference information, see the Appendix A: DDoS Attack Log Reference. There, you can reference which features or thresholds triggered the attack event, or where graphs associated with the attack event can be found.

DDoS Attack Log Summary

The following describes the parameters displayed in the Log & Report: LOG ACCESS > Logs > DDoS Attack Log Summary page.

Parameter

Description
Event ID An index number of the drop event.
Timestamp

Date and Time of the drop event.

There are two types of log reporting based on the type of event: Flood events that are "Interrupt" driven and Periodic events (all events that are not Flood events are "Periodic").

Periodic events are reported every 300 seconds (5 minutes). As shown in the image above, FortiDDoS inspects 100% of the passing traffic and even the single anomalous packets that are dropped. Reporting these immediately would create an enormous log list so, instead, they are aggregated over 300 seconds for logging (and graphing). All reporting is thus at 0, 5, 10, 15 minutes from the top of every hour. (Note: In the above image, even though it shows the Global Rule Deny ACL drop count is enormous, it only reports on the 5-minute period).

Interupt-driven events also report at 5-minute intervals but if the drop count exceeds a system threshold (not configurable) the drops will begin reporting at 1-minute intervals. For example, the time stamps will change to 00:01 or 00:02 instead of 00:05.

Note: In order to correlate drop events, ensure that System > Maintenance > Date and Time is set to NTP for accurate timestamps. System clocks drift and without NTP times will become inaccurate.
SPP Name Name of the SPP where the attack event occurred. The SPP Names can be filtered.
Direction Direction of the attack. The Direction can be filtered.
Event Type

Summary name of the type of attack. The Categories of attacks can be filtered.

Appendix A: DDoS Attack Log Reference provides further period and attack type information for all possible Attacks.
Drop Count Number of dropped packets over the period, which is typically 5-minute intervals but could also be 1-minute intervals as based on the Timestamp.
SPP Operating Mode The SPP Operating Mode (Detection or Prevention) at the time the drops are reported. This indicates whether the system is reporting but allowing the “drops” (Detection Mode) or dropping the packets (Prevention Mode).
(Detail Icon) Click the (Detail icon) for more detailed information about the event.

Filtering the DDoS Attack Log page

To filter the DDoS Attack Log page, you can apply Check-Box Filters and/or Add Filter Events.

Check-Box Filters

Apply one or more of the Check-Box Filters below:

Check-Box Filter

Description
Rate Flood Events Show only flood events.
ACL Events Show only ACL events.
Header Anomaly Events Show only Header Anomaly events (all Layers).
State Anomaly Events Show only State events, usually TCP Foreign Packets (out-of-state).
Notification Events No longer used. Notifications are in the Event Log.
Internal Events Show only internal system issues — usually memory table issues.
Add Filter Events

Click Add Filter to add a single or multiple simultaneous filters, alone or in addition to the Check-Box Filters.

Parameter

Description
Time Stamp

Between or Not Between specific start and send Dates/Times.

Click the first empty field to select the start date/time, then press Tab to advance to the send date/time selection, and press Tab again to navigate out of the date selection. Click OK to confirm.
Direction Equals or Not Equals to Inbound direction or Outbound direction.
Source IP

Equals or Not Equals to the Source IP Address.

Note: Few logs show any source IP address.
Protected IP Equals or Not Equals to the Protected IP Address. This refers to the attacked “inside” IP contained in the Protected Subnets list. All logs will show a Protected IP but it is not shown on this view. Access the Details view to see the Protected IP.
Protected Port Equals or Not Equals to the TCP or UDP Port of that attack log. Not all attacks provide port details. Ports are not shown on this summary log view.
Protocol Equals or Not Equals to the Protocol Number 0-255.
ICMP Type/Code

Equals or Not Equals to the ICMP Type/Code index from 0-65536. Type/Code index is not obvious. For example, Ping = 0 but Ping Response (Echo) = 2048. Contact Fortinet if Type/Code index list is needed.
SPP Operating Mode Equals or Not Equals to the Detection Mode or Prevention Mode.

SPP

Equals or Not Equals to the list of SPP Names.

Detail Attack Log view

For additional detail on an event, click the (Detail Icon) for any log.

Parameter

Description
Event ID Index number of the event.
Timestamp Date/Time of the event.
SPP Name The SPP Name.
Direction Whether the direction is Inbound or Outbound.
IP Source The Source IP address for this attack event (if available). As most Source IPs are spoofed, the Source IP is normally shown for per-Source attack events.
Protected IP The attacked IP that is part of a Protection Subnet/SPP.
Protocol The Layer 3 Protocol 0-255 (if available).
ICMP Type/Code The ICMP Type/Code for the attack event (if available).

Event Type

Name of attack event.

Event Detail

Additional details for this attack event (if available). For example, an HTTP Method Flood attack will show the Method (GET, POST, CONNECT, etc.) used in the attack.

Drop Counts

Drops from this event.

Associated Port

For most attack events, the Protected (inside) Port associated with the attack. For example, in the above image it shows this attack event was directed to 20.1.1.100:Port 80. Specifically for “Probable UDP Reflection Port Flood”, the Port shown will be the Source Port of the attack.

Subnet

The Subnet name from Protection Subnets. This subnet contains the Protected IP.

SPP Operating Mode

Whether the mode is Detection or Prevention.
Previous
Next

Working with the FortiDDoS attack log

The monitoring and reporting framework is designed to maximize the processing resources that are available for preventing attacks, rather than forensics. In order to conserve resources to withstand multi-gigabyte attacks, the system records only data that it can use to improve security, not all possible Layer 3, Layer 4, and Layer 7 data. As a result, reporting tools such as the DDoS attack log do not always include detailed traffic parameter information. Outside of specific scenarios, the system does not report source and destination IP addresses and ports, protocols, and so on, for every dropped or blocked packet. They are reported when they are important to the attack log. For example all Source Flood logs will show the Source IP of the flood, even if it may be spoofed. However, since most DDoS attacks today use randomized source IP addresses or tens of thousands of reflecting servers, recording source IP addresses for other DDoS attacks has no value.

It is not uncommon for a FortiDDoS-F system that is monitoring a 1 Gbps traffic flow to be the target of a 700 Mbps SYN flood for 8 hours. If the system stored every source and destination IP address, port, and protocol, the logging demands (via hard disk, syslog, or SNMP trap) would soon overwhelm the disk or network.

By concentrating its resources on dropping attack traffic and maintaining service, FortiDDoS-F allows you to focus your attention elsewhere and still provide you with helpful and relevant information when an attack is underway.

There are two important types of logs:

  • The DDoS Top Attacks dashboard that provides summaries of all attacks for all SPPs and Global events for a given time period. For details, see Top Attacks.

  • The Attack Logs that provide "real time" drop information.

Attack Logs

There are 170 different Attack Log Types, many of which have "depth" such as the following types:

  • The HTTP Method Flood shows any of the eight HTTP Methods used in the attack.

  • The Possible UDP Reflection Flood shows which of a possible 10,000 UDP ports created the reflection (Source UDP Port).

  • The ICMP Type/Code Flood identifies which of 65,526 ICMP Type/Codes was used.

For Attack Log reference information, see the Appendix A: DDoS Attack Log Reference. There, you can reference which features or thresholds triggered the attack event, or where graphs associated with the attack event can be found.

DDoS Attack Log Summary

The following describes the parameters displayed in the Log & Report: LOG ACCESS > Logs > DDoS Attack Log Summary page.

Parameter

Description
Event ID An index number of the drop event.
Timestamp

Date and Time of the drop event.

There are two types of log reporting based on the type of event: Flood events that are "Interrupt" driven and Periodic events (all events that are not Flood events are "Periodic").

Periodic events are reported every 300 seconds (5 minutes). As shown in the image above, FortiDDoS inspects 100% of the passing traffic and even the single anomalous packets that are dropped. Reporting these immediately would create an enormous log list so, instead, they are aggregated over 300 seconds for logging (and graphing). All reporting is thus at 0, 5, 10, 15 minutes from the top of every hour. (Note: In the above image, even though it shows the Global Rule Deny ACL drop count is enormous, it only reports on the 5-minute period).

Interupt-driven events also report at 5-minute intervals but if the drop count exceeds a system threshold (not configurable) the drops will begin reporting at 1-minute intervals. For example, the time stamps will change to 00:01 or 00:02 instead of 00:05.

Note: In order to correlate drop events, ensure that System > Maintenance > Date and Time is set to NTP for accurate timestamps. System clocks drift and without NTP times will become inaccurate.
SPP Name Name of the SPP where the attack event occurred. The SPP Names can be filtered.
Direction Direction of the attack. The Direction can be filtered.
Event Type

Summary name of the type of attack. The Categories of attacks can be filtered.

Appendix A: DDoS Attack Log Reference provides further period and attack type information for all possible Attacks.
Drop Count Number of dropped packets over the period, which is typically 5-minute intervals but could also be 1-minute intervals as based on the Timestamp.
SPP Operating Mode The SPP Operating Mode (Detection or Prevention) at the time the drops are reported. This indicates whether the system is reporting but allowing the “drops” (Detection Mode) or dropping the packets (Prevention Mode).
(Detail Icon) Click the (Detail icon) for more detailed information about the event.

Filtering the DDoS Attack Log page

To filter the DDoS Attack Log page, you can apply Check-Box Filters and/or Add Filter Events.

Check-Box Filters

Apply one or more of the Check-Box Filters below:

Check-Box Filter

Description
Rate Flood Events Show only flood events.
ACL Events Show only ACL events.
Header Anomaly Events Show only Header Anomaly events (all Layers).
State Anomaly Events Show only State events, usually TCP Foreign Packets (out-of-state).
Notification Events No longer used. Notifications are in the Event Log.
Internal Events Show only internal system issues — usually memory table issues.
Add Filter Events

Click Add Filter to add a single or multiple simultaneous filters, alone or in addition to the Check-Box Filters.

Parameter

Description
Time Stamp

Between or Not Between specific start and send Dates/Times.

Click the first empty field to select the start date/time, then press Tab to advance to the send date/time selection, and press Tab again to navigate out of the date selection. Click OK to confirm.
Direction Equals or Not Equals to Inbound direction or Outbound direction.
Source IP

Equals or Not Equals to the Source IP Address.

Note: Few logs show any source IP address.
Protected IP Equals or Not Equals to the Protected IP Address. This refers to the attacked “inside” IP contained in the Protected Subnets list. All logs will show a Protected IP but it is not shown on this view. Access the Details view to see the Protected IP.
Protected Port Equals or Not Equals to the TCP or UDP Port of that attack log. Not all attacks provide port details. Ports are not shown on this summary log view.
Protocol Equals or Not Equals to the Protocol Number 0-255.
ICMP Type/Code

Equals or Not Equals to the ICMP Type/Code index from 0-65536. Type/Code index is not obvious. For example, Ping = 0 but Ping Response (Echo) = 2048. Contact Fortinet if Type/Code index list is needed.
SPP Operating Mode Equals or Not Equals to the Detection Mode or Prevention Mode.

SPP

Equals or Not Equals to the list of SPP Names.

Detail Attack Log view

For additional detail on an event, click the (Detail Icon) for any log.

Parameter

Description
Event ID Index number of the event.
Timestamp Date/Time of the event.
SPP Name The SPP Name.
Direction Whether the direction is Inbound or Outbound.
IP Source The Source IP address for this attack event (if available). As most Source IPs are spoofed, the Source IP is normally shown for per-Source attack events.
Protected IP The attacked IP that is part of a Protection Subnet/SPP.
Protocol The Layer 3 Protocol 0-255 (if available).
ICMP Type/Code The ICMP Type/Code for the attack event (if available).

Event Type

Name of attack event.

Event Detail

Additional details for this attack event (if available). For example, an HTTP Method Flood attack will show the Method (GET, POST, CONNECT, etc.) used in the attack.

Drop Counts

Drops from this event.

Associated Port

For most attack events, the Protected (inside) Port associated with the attack. For example, in the above image it shows this attack event was directed to 20.1.1.100:Port 80. Specifically for “Probable UDP Reflection Port Flood”, the Port shown will be the Source Port of the attack.

Subnet

The Subnet name from Protection Subnets. This subnet contains the Protected IP.

SPP Operating Mode

Whether the mode is Detection or Prevention.
Previous
Next