Fortinet white logo
Fortinet white logo

Handbook

Thresholds View

Thresholds View

Before you begin:

  • You must have an expert understanding of packet rates and other Layer 3, Layer 4, and Layer 7 parameters that you want to set manually. Refer to Understanding FortiDDoS rate limiting thresholds .
  • You must have Read-Write permission for Protection Profile settings.
To configure threshold settings:

1. Go to Service Protection > Service Protection Policy > {SPP Rule} > Thresholds.

2. Select the type of Threshold from the drop-down list.

3. Double-click the row for the threshold you want to edit or click Create New.

4. Set thresholds for inbound and outbound traffic for the settings described in the table below.

5. Save the configuration.

Threshold Settings Configuration

Threshold

Guidelines

Graph

Scalars

SYN

Packet/second rate of SYN packets received. Threshold for a SYN Flood event. When total SYNs to the SPP exceeds the threshold, the SYN flood mitigation mode tests are applied to all new connection requests from IP addresses that are not already in the legitimate IP address table.

Prerequisite: A TCP Profile with following settings should be linked: SYN Flood Mitigation => Enabled

TCP Session Feature Control : SYN Validation => Enabled

Drop Monitor: Flood Drops > Layer 4

Traffic Monitor:

Layer 3/4/7 > Layer 4 > SYN

New Connections

Connection/second rate of new connections. Threshold for zombie floods (when attackers hijack legitimate IP addresses to launch DDoS attacks). When it detects a zombie flood, FortiDDoS blocks all new connection requests for the configured blocking period. In order to be effective, the new-connections threshold should always be higher than the syn threshold. We recommend that you use the FortiDDoS generated threshold unless you have a specific reason to change it.

Prerequisite: A TCP Profile with following settings should be linked to generate SYN Flood scenario: SYN Flood Mitigation => Enabled

TCP Session Feature Control : SYN Validation => Enabled

Drop Monitor: Flood Drops > Layer 4

Traffic Monitor:

Layer 3/4/7 > Layer 4 > Other

SYN Per Source

Packet/second rate of SYN packets from any one source. No single source in an SPP is allowed to exceed this threshold. Threshold for a SYN Flood from Source event. The system applies the blocking period for identified sources. Only SYNs from identified source will be blocked

Drop Monitor: Flood Drops > Layer 4

Traffic Monitor:

Layer 3/4/7 > Layer 4 > SYN

Most Active Source

Packet/second rate for the most active source. A source that sends packets at a rate that surpasses this threshold is considered a threat. Threshold for a source flood. No single source in an SPP is allowed to exceed this threshold, and the system applies the blocking period for identified sources. All traffic from identified source will be blocked

Drop Monitor: Flood Drops > Layer 3

Traffic Monitor:

Layer 3/4/7 > Layer 3 > Sources

Concurrent Connections Per Source

Count of TCP connections from a single source. The TCP connection counter is incremented when a connection moves to the established state and decremented when a session is timed out or closes. This threshold is used to identify suspicious source IP behavior. An inordinate number of connections is a symptom of both slow and fast TCP connection attacks. The system applies the blocking period for identified sources for SYN (session initiation). If the aggressive aging high-concurrent-connection-per-source option is enabled, the system also sends a TCP RST to the server to reset the connection.

Drop Monitor: Flood Drops > Layer 4

Traffic Monitor:

Layer 3/4/7 > Layer 4 > Other

SYN Per Destination

Packet/second rate for SYN packets to a single destination. When the per-destination limits are exceeded for a particular destination, the SYN flood mitigation mode tests are applied to all new connection requests to that particular destination. Traffic to other destinations is not subject to the tests. The system applies the blocking period for identified sources.

Prerequisite: A TCP Profile with following settings should be linked to generate SYN Flood scenario: SYN Flood Mitigation => Enabled

TCP Session Feature Control : SYN Validation => Enabled

Drop Monitor: Flood Drops > Layer 4

Traffic Monitor:

Layer 3/4/7 > Layer 4 > SYN

HTTP Method Per Source

Packet/second rate for Method packets (GET, HEAD, OPTION, POST, etc) from a single Source. When the per-source limits are exceeded for a particular source, the system applies the blocking period for identified sources sending HTTP traffic. The connection to the server may also be RST if Protection Profiles > SPP Settings > TCP Tab: Aggressive Aging TCP Connections Feature Control: Layer 7 Flood is enabled.

Drop Monitor: Flood Drops > Layer 7

Traffic Monitor:

Layer 3/4/7 > Layer 7 > HTTP

Most Active Destination

Packet/second rate for the most active destination. A destination that is sent packets at this rate is considered under attack. Threshold for a destination flood.

Drop Monitor: Flood Drops > Layer 3

Traffic Monitor:

Layer 3/4/7 > Layer 3 > Destinations

OTH Fragment

Packet/second rate of fragmented packets received for Protocols Except TCP and UDP. Although the IP specification allows IP fragmentation, excessive fragmented packets can cause some systems to hang or crash.

Drop Monitor: Flood Drops > Layer 3

Traffic Monitor:

Layer 3/4/7 > Layer 3 > Other

UDP Fragment

Packet/second rate of UDP fragmented packets received. Although the IP specification allows IP fragmentation, excessive fragmented packets can cause some systems to hang or crash.

Drop Monitor: Flood Drops > Layer 3

Traffic Monitor:

Layer 3/4/7 > Layer 3 > Other

TCP Fragment

Packet/second rate of TCP fragmented packets received. Although the IP specification allows IP fragmentation, excessive fragmented packets can cause some systems to hang or crash.

Drop Monitor: Flood Drops > Layer 3

Traffic Monitor:

Layer 3/4/7 > Layer 3 > Other

DNS Query UDP

Queries/second. Threshold for a DNS Query Flood event for traffic over UDP.

Prerequisite: A DNS Profile should be linked to SPP rule

Drop Monitor: Flood Drops > Layer 7

Traffic Monitor:

Layer 3/4/7 > Layer 7 > DNS

DNS Query TCP

Queries/second. Threshold for a DNS Query Flood event for traffic over TCP.

Prerequisite: A DNS Profile should be linked to SPP rule

Drop Monitor: Flood Drops > Layer 7

Traffic Monitor:

Layer 3/4/7 > Layer 7 > DNS

DNS Question Count UDP

Question count/second. Threshold for a DNS Question Flood over UDP event.

Prerequisite: A DNS Profile should be linked to SPP rule

Drop Monitor: Flood Drops > Layer 7

Traffic Monitor:

Layer 3/4/7 > Layer 7 > DNS

DNS MX Count UDP

Question count/second. Threshold for a DNS Question Flood over TCP event.

Prerequisite: A DNS Profile should be linked to SPP rule

Drop Monitor: Flood Drops > Layer 7

Traffic Monitor:

Layer 3/4/7 > Layer 7 > DNS

DNS MX Count UDP

Packet/second rate of DNS queries for MX records (QTYPE=15). Threshold for a DNS MX Flood over UDP event.

Prerequisite: A DNS Profile should be linked to SPP rule

Drop Monitor: Flood Drops > Layer 7

Traffic Monitor:

Layer 3/4/7 > Layer 7 > DNS

DNS MX Count TCP

Packet/second rate of DNS queries for MX records (QTYPE=15). Threshold for a DNS MX Flood over TCP event.

Prerequisite: A DNS Profile should be linked to SPP rule

Drop Monitor: Flood Drops > Layer 7

Traffic Monitor:

Layer 3/4/7 > Layer 7 > DNS

DNS ALLUDP

Packet/second rate of DNS queries for all DNS records (QTYPE=255). Threshold for a DNS ALL Flood over UDP event.

Prerequisite: A DNS Profile should be linked to SPP rule

Drop Monitor: Flood Drops > Layer 7

Traffic Monitor:

Layer 3/4/7 > Layer 7 > DNS

DNS ALLTCP

Packet/second rate of DNS queries for all DNS records (QTYPE=255). Threshold for a DNS ALL Flood over TCP event.

Prerequisite: A DNS Profile should be linked to SPP rule

Drop Monitor: Flood Drops > Layer 7

Traffic Monitor:

Layer 3/4/7 > Layer 7 > DNS

DNS Zone Transfer TCP

Packet/second rate of DNS zone transfer (AXFR) queries (QTYPE=252). Threshold for a DNS Zone Transfer Flood event.

Prerequisite: A DNS Profile should be linked to SPP rule

Drop Monitor: Flood Drops > Layer 7

Traffic Monitor:

Layer 3/4/7 > Layer 7 > DNS

DNS Fragment UDP

Packet/second rate of fragmented packets received. Threshold for a DNS Fragment Flood over UDP event.

Prerequisite: A DNS Profile should be linked to SPP rule

Drop Monitor: Flood Drops > Layer 7

Traffic Monitor:

Layer 3/4/7 > Layer 7 > DNS

DNS Fragment TCP

Packet/second rate of fragmented packets received. Threshold for a DNS Fragment Flood over TCP event.

Prerequisite: A DNS Profile should be linked to SPP rule

Drop Monitor: Flood Drops > Layer 7

Traffic Monitor:

Layer 3/4/7 > Layer 7 > DNS

DNS Query Per Source

Packet/second rate of normal DNS queries from any one source. No single source in an SPP is allowed to exceed this threshold. Threshold for a DNS Query Per Source flood event. The system applies the blocking period for identified sources.

Prerequisite: A DNS Profile should be linked to SPP rule with DNS Source blocking feature set to Enable

Drop Monitor: Flood Drops > Layer 7

Traffic Monitor:

Layer 3/4/7 > Layer 7 > DNS

DNS Packet Track Per Source

Packet/second rate of a source that demonstrates suspicious activity, a score based on heuristics that

  • count fragmented packets
  • response not found in DQRM
  • queries that generate responses with RCODE other than 0.

Threshold for a DNS Suspicious Sources flood event. The system applies the blocking period for identified sources.

Prerequisite: A DNS Profile should be linked to SPP rule with DNS Source blocking feature set to Enable

Drop Monitor: Flood Drops > Layer 7

Traffic Monitor:

Layer 3/4/7 > Layer 7 > DNS

NTP Request

Rate Limit of NTP Requests to or from the SPP

Drop Monitor: Flood Drops > Layer 7

Traffic Monitor:

Layer 3/4/7 > Layer 7 > NTP

NTP Response

Rate Limit of NTP Responses to or from the SPP.

Usage: This Threshold can be set for any environment but if FortiDDoS sees both Requests and Responses (symmetric traffic or both asymmetric links pass through FortiDDoS) the Unsolicited Response Anomaly feature above will respond to NTP Response Floods faster than this Thresholds. These is no harm in using both. If FortiDDoS is in Asymmetric Mode, use this Threshold and DISABLE the NTP Unsolicited Response Anomaly.

Note: NTP Response attacks are common. Always set a Response Threshold or use NTP Unsolicited Response (NRM) Anomaly.

Drop Monitor: Flood Drops > Layer 7

Traffic Monitor:

Layer 3/4/7 > Layer 7 > NTP

NTP Broadcast

Rate Limit of NTP Broadcast packets to or from the SPP.

Usage:.You should never see NTP Broadcast packets on public networks. If, during Learning/Detection Mode, you see these in either direction, examine the protected IPs involved to see if they are originating, terminating or spoofed. Unless you know you are broadcasting for some reason, this Thresholds can be set to zero.

Drop Monitor: Flood Drops > Layer 7

Traffic Monitor:

Layer 3/4/7 > Layer 7 > NTP

NTP Response Per Destination

Rate Limit of NTP Responses per individual Destination.

Usage: This Threshold can be set for any environment. This threshold will normally be less than or equal to the “Response Threshold” above. If FortiDDoS sees both Requests and Responses (symmetric traffic or both asymmetric links pass through FortiDDoS) the Unsolicited Response Anomaly feature above will respond to NTP Response per Destination Floods faster than this Thresholds. These is no harm in using both.

If FortiDDoS is in Asymmetric Mode, use this Threshold and DISABLE the NTP Unsolicited Response anomaly.

Drop Monitor: Flood Drops > Layer 7

Traffic Monitor:

Layer 3/4/7 > Layer 7 > NTP

DTLS Client Hello Per Source

Rate limit of DTLS Client Hello messages sent per Source.

Drop Monitor: Flood Drops > Layer 7

Traffic Monitor:

Layer 3/4/7 > Layer 7 > DTLS

DTLS Server Hello Per Source

Rate limit of DTLS Server Hello messages sent per Source.

Drop Monitor: Flood Drops > Layer 7

Traffic Monitor:

Layer 3/4/7 > Layer 7 > DTLS

DTLS Server Hello Per Destination

Rate limit of DTLS Server Hello messages sent per Destination.

Drop Monitor: Flood Drops > Layer 7

Traffic Monitor:

Layer 3/4/7 > Layer 7 > DTLS

Scalar Drop for Asymmetric Mode only

with Asymmetric Mode Allow Inbound Synack enabled

SYN/ACK in Asym Mode

Rate limit of inbound SYN/ACKs when in Asymmetric Mode

Note: This Threshold must be set manually. Please observe Traffic Monitor > Layer 3/4/7 > Layer 4 > SYN: SYN-ACK graph to determine peak traffic rate and multiple 2x for Threshold.

Drop Monitor: Flood Drops >

Layer 4

Traffic Monitor:

Layer 3/4/7 > Layer 4 > SYN

SYN/ACK per Destination in Asym Mode

Rate limit of inbound SYN/ACKs per Destination when in Asymmetric Mode

Note: This Threshold must be set manually. Please observe Traffic Monitor > Layer 3/4/7 > Layer 4 > SYN: SYN-ACK per Destination graph to determine peak traffic rate and multiple 2x for Threshold.

Drop Monitor: Flood Drops >

Layer 4

Traffic Monitor:

Layer 3/4/7 > Layer 4 > SYN

DNSSEC Response UDP Asym

Asymmetric Mode SPP aggregate rate limit Threshold for inbound DNSSEC UDP Response packets (from UDP port 53 with Resource Record 41 (Option) fields.

In Asymmetric Mode, DQRM and DNSSEC Message Type Match or DNSSEC Require Response After Query cannot be used and this Threshold offers protection.

When using this Threshold, Enable Service Protection > DNS Profile (used with the applicable SPP) > DNS Message IP Fragment Try Best. This feature parses fragmented Response packet to determine if they are DNSSEC.

This is a manual Threshold and must be set by the user. In Asymmetric Mode, go to Monitor: TRAFFIC MONITOR > Layer 3/4/7 > Select SPP > Layer 7 and scroll to DNSSEC graph. This graph will only appear if system is in Asymmetric Mode.

Observe the PEAK traffic of the UDP Asymmetric Response Ingress Max Packet Rate/Sec over a reasonable period of time (1-Week to 1-Month).

Multiply the PEAK rate by 2 and use this rate as the Inbound Threshold for this Scalar. No Outbound Threshold is available.

Drop Monitor: Flood Drops >

Layer 4

Traffic Monitor:

Layer 3/4/7 > Layer 4 > SYN

DNSSEC Response UDP Asym Source

Asymmetric Mode per Source IP rate limit Threshold for inbound DNSSEC UDP Response per Source packets (from UDP port 53 with Resource Record 41 (Option) fields.

In Asymmetric Mode, DQRM and DNSSEC Message Type Match or DNSSEC Require Response After Query cannot be used and this Threshold offers protection.

When using this Threshold, enable Service Protection > DNS Profile (used with the applicable SPP) > DNS Message IP Fragment Try Best. This feature parses fragmented Response packet to determine if they are DNSSEC.

This is a manual Threshold and must be set by the user. In Asymmetric Mode, go to Monitor: TRAFFIC MONITOR > Layer 3/4/7 > Select SPP > Layer 7 and scroll to DNSSEC graph. This graph will only appear if system is in Asymmetric Mode.

Observe the PEAK traffic of the UDP Asymmetric Response per Source Ingress Max Packet Rate/Sec over a reasonable period of time (1-Week to 1-Month).

Multiply the PEAK rate by 2 and use this rate as the Inbound Threshold for this Scalar. No Outbound Threshold is available.

Drop Monitor: Flood Drops >

Layer 4

Traffic Monitor:

Layer 3/4/7 > Layer 4 > SYN

DNSSEC Response UDP Asym Destination

Asymmetric Mode per Source IP rate limit Threshold for inbound DNSSEC UDP Response per Destination packets (from UDP port 53 with Resource Record 41 (Option) fields.

In Asymmetric Mode, DQRM and DNSSEC Message Type Match or DNSSEC Require Response After Query cannot be used and this Threshold offers protection.

When using this Threshold, enable Service Protection > DNS Profile (used with the applicable SPP) > DNS Message IP Fragment Try Best. This feature parses fragmented Response packet to determine if they are DNSSEC.

This is a manual Threshold and must be set by the user. In Asymmetric Mode, go to Monitor: TRAFFIC MONITOR > Layer 3/4/7 > Select SPP > Layer 7 and scroll to DNSSEC graph. This graph will only appear if system is in Asymmetric Mode.

Observe the PEAK traffic of the UDP Asymmetric Response per Destination Ingress Max Packet Rate/Sec over a reasonable period of time (1-Week to 1-Month).

Multiply the PEAK rate by 2 and enter this rate as the Inbound Threshold for this Scalar. No Outbound Threshold is available.

Drop Monitor: Flood Drops >

Layer 4

Traffic Monitor:

Layer 3/4/7 > Layer 4 > SYN

HTTP Methods

HTTP/1.1 uses the following set of common methods:

  • GET
  • HEAD
  • OPTIONS
  • TRACE
  • POST
  • PUT
  • DELETE
  • CONNECT

Packet/second rate for the specified HTTP method. Threshold for an HTTP method flood attack. When the maximum rate is reached, the system drops packets matching the parameter. If the aggressive aging layer7-flood option is enabled, the system also sends a TCP RST to the server to reset the connection.

Drop Monitor: Flood Drops > Layer 7

Traffic Monitor:

Layer 3/4/7 > Layer 7 > HTTP

Protocols

Protocol Start / End

Packet/second rate for the specified protocol (0-255). Threshold for a Protocol Flood event.

When you specify a threshold for protocols, enter a range, even if you are specifying a threshold for a single protocol. For example, to set a threshold for protocol 6, enter 6 for both Protocol Start and Protocol End.

Drop Monitor: Flood Drops > Layer 3

Traffic Monitor:

Layer 3/4/7 > Layer 3 > Protocols

TCP Ports

Port Start / End

Packet/second rate for the specified TCP port (0-65535). Threshold for a Port Flood event. Monitoring the packet rate for ports is helpful to prevent floods against a specific application such as HTML, FTP, SMTP or SQL. TCP accommodates 64K (65,536) ports, most of which may never be used by a particular server. Conversely, a server might see most or all of its traffic on a small group of TCP ports. For this reason, globally assigning a single threshold to all ports generally does not provide useful protection. However, you can globally set a (usually low) TCP Port Threshold for all TCP ports and then manually configure a higher threshold for the ports your protected network is using. When you specify a threshold for ports, you enter a range, even if you are specifying a threshold for a single port. For example, to set a threshold for port 8080, enter 8080 for both Port Start and Port End.

Drop Monitor: Flood Drops > Layer 4

Traffic Monitor:

Layer 3/4/7 > Layer 4 > TCP Ports

UDP Ports

Port Start / End

Packet/second rate for the specified UDP port (0-65535). Threshold for a Port Flood event.

When you specify a threshold for ports, you enter a range, even if you are specifying a threshold for a single port. For example, to set a threshold for port 53, enter 53 for both Port Start and Port End.

Drop Monitor: Flood Drops > Layer 4

Traffic Monitor:

Layer 3/4/7 > Layer 4 > UDP Ports

ICMP Types/Codes

ICMP Type/Code Start/End

Packet/second rate for the specified ICMP type/code range (0:0-255:255). The ICMP header includes an 8-bit type field, followed by an 8-bit code field. Threshold for an ICMP Type/Code Flood event.

A popular use for ICMP is the “Echo groping” message (type 8) and its corresponding reply (type 0), which are often useful tools to test connectivity and response time. In some cases, this message and reply can also be used as an attack weapon to effectively disable a target system’s network software. Take care when you set the ICMP type 0 and type 8 thresholds to ensure the desired functionality is preserved.

Drop Monitor: Flood Drops > Layer 4

Traffic Monitor:

Layer 3/4/7 > Layer 4 > Other

HTTP Headers

URL

Packet/second rate for packets with the specified URL match. When the maximum rate is reached, the system drops packets matching the parameter. If the aggressive aging layer7-flood option is enabled, the system also sends a TCP RST to the server to reset the connection.

Specify the URL for a specific website. Botnets make it easy to launch attacks on specific URLs. When such an attack happens, FortiDDoS can isolate the URL and limit just the traffic that is associated with it, while all other traffic is unaffected. The URL is found in the website’s HTTP GET or POST operations. For example, the URL for http://www.website.com/index.html is /index.html.

When you specify a threshold for a URL, the system generates a corresponding hash index value. FortiDDoS displays the hash index value in the list of URL thresholds. Make note of it. You can use the hash value to select this URL elsewhere in the web UI. To view statistics associated with the threshold, go to Monitor > Specific Graphs > URLs, and then for Please enter URL/Hash index, enter either the original URL you specified or the hash index value.

The valid range of hash index values for URLs is 0-64k per SPP.

You can use the special prefix sys_reco_v to create hash index ranges that aggregate URLs that you are interested in only as an aggregate. For example, assume your team wants to pay close attention to a five websites, and all others can be treated essentially the same. With the first five, your configuration is specific, so you know the website URL and the corresponding hash index, and you can use FortiDDoS to track it specifically. The system does not track the others with specificity, but you can track, as an aggregate, whether those sites experience rising and falling rates, including attacks. Create entries for the five priority websites and note their hash index numbers. Let’s assume the hash index numbers are 1, 20, 21, 39, 40.

  1. Create ranges to aggregate the gaps:
    1. The first gap is from 2-19, so you create a configuration named sys_reco_v2_19. This includes hash numbers 2 through 19.
    2. The second gap is from 22-38, so you create a configuration named sys_reco_v22_38.
    3. The next gap is from 41 to the end of the range, so you create a configuration named sys_reco_v41_8192.

Note: You cannot carve out a small block out of a large block. If you want to use hash index values that are already in use, you must delete the existing range and then create two ranges.

Drop Monitor: Flood Drops > Layer 7

Traffic Monitor:

Layer 3/4/7 > Layer 7 > HTTP

Host, Referer, Cookie, User-Agent headers

Packet/second rate for packets with the specified header matches. When the maximum rate is reached, the system drops packets matching the parameter. If the aggressive aging layer7-flood option is enabled, the system also sends a TCP RST to the server to reset idle connections. A connection is deemed idle if it has not sent traffic in the last 2 minutes.

Specify HTTP header values. With the advent of botnets, it is easy to launch attacks using scripts. Most of the scripts use the same code. The chances that they all use the same Host, Referer, Cookie, or User-Agent header fields is very high. When such an attack happens, FortiDDoS can easily isolate the four headers among many and limit traffic associated with that specific header, while all other traffic is unaffected.

As with URL hash indexes, you can use the sys_reco_v prefix to define hash index ranges that aggregate header values you are not specifically interested in.

The valid range of hash index values is 0-511 for each setting for each SPP: Host, Referer, Cookie, User-Agent

Drop Monitor: Flood Drops > Layer 7

Traffic Monitor:

Layer 3/4/7 > Layer 7 > HTTP

DNS Response Codes

Rcode start-Rcode end

Packet/second rate for the specified DNS Response code (0-15). Threshold for DNS Response code Flood event.

Drop Monitor: Flood Drops > Layer 7

Traffic Monitor:

Layer 3/4/7 > Layer 7 > DNS

To configure using the CLI:

config ddos spp rule

edit <spp_name>

config scalar-threshold

edit <threshold_name>

set scalar-type {syn |syn-per-src | most-active-source | concurrent-connections-per-source | most-active-destination | method-per-source | oth-fragment | udp-fragment | tcp-fragment | new-connections | syn-per-dst | dns-query-udp | dns-query-tcp | dns-question-count-udp | dns-question-count-tcp | dns-mx-count-udp | dns-mx-count-tcp | dns-all-udp | dns-all-tcp | dns-zone-xfer-tcp | dns-fragment-udp | dns-fragment-tcp | dns-query-per-src | dns-packet-track-per-src | ntp-req | ntp-resp | ntp-bcast | ntp-resp-per-dst}

set inbound-threshold <integer>

set outbound-threshold <integer>

next

end

config protocol-threshold

edit <threshold_name>

set protocol-start <protocol_int>

set protocol-end <protocol_int>

set inbound-threshold <integer>

set outbound-threshold <integer>

next

end

config http-method-threshold

edit <threshold_name>

set method { get |head| options | trace | post | put | delete | connect }

set inbound-threshold <integer>

set outbound-threshold <integer>

next

end

config tcp-port-threshold

edit <threshold_name>

set port-start <port_int>

set port-end <port_int>

set inbound-threshold <integer>

set outbound-threshold <integer>

next

end

config udp-port-threshold

edit <threshold_name>

set port-start <port_int>

set port-end <port_int>

set inbound-threshold <integer>

set outbound-threshold <integer>

next

end

config icmp-type-code-threshold

edit <threshold_name>

set icmp-type-start <type_int>

set icmp-code-start <code_int>

set icmp-type-end <type_int>

set icmp-code-end <code_int>

set inbound-threshold <integer>

set outbound-threshold <integer>

next

end

config http-url-threshold

edit <threshold_name>

set url <url_string>

set inbound-threshold <integer>

set outbound-threshold <integer>

next

end

config http-host-threshold

edit <threshold_name>

set host <host_string>

set inbound-threshold <integer>

set outbound-threshold <integer>

next

end

config http-referer-threshold

edit <threshold_name>

set referer <referer_string>

set inbound-threshold <integer>

set outbound-threshold <integer>

next

end

config http-cookie-threshold

edit <threshold_name>

set cookie <cookie_string>

set inbound-threshold <integer>

set outbound-threshold <integer>

next

end

config http-user-agent-threshold

edit <threshold_name>

set user-agent <user-agent_string>

set inbound-threshold <integer>

set outbound-threshold <integer>

next

end

config dns-rcode-threshold

edit <threshold_name>

set rcode-start <rcode_int>

set rcode-end <rcode_int>

set inbound-threshold <integer>

set outbound-threshold <integer>

next

end

next

end

Thresholds View

Thresholds View

Before you begin:

  • You must have an expert understanding of packet rates and other Layer 3, Layer 4, and Layer 7 parameters that you want to set manually. Refer to Understanding FortiDDoS rate limiting thresholds .
  • You must have Read-Write permission for Protection Profile settings.
To configure threshold settings:

1. Go to Service Protection > Service Protection Policy > {SPP Rule} > Thresholds.

2. Select the type of Threshold from the drop-down list.

3. Double-click the row for the threshold you want to edit or click Create New.

4. Set thresholds for inbound and outbound traffic for the settings described in the table below.

5. Save the configuration.

Threshold Settings Configuration

Threshold

Guidelines

Graph

Scalars

SYN

Packet/second rate of SYN packets received. Threshold for a SYN Flood event. When total SYNs to the SPP exceeds the threshold, the SYN flood mitigation mode tests are applied to all new connection requests from IP addresses that are not already in the legitimate IP address table.

Prerequisite: A TCP Profile with following settings should be linked: SYN Flood Mitigation => Enabled

TCP Session Feature Control : SYN Validation => Enabled

Drop Monitor: Flood Drops > Layer 4

Traffic Monitor:

Layer 3/4/7 > Layer 4 > SYN

New Connections

Connection/second rate of new connections. Threshold for zombie floods (when attackers hijack legitimate IP addresses to launch DDoS attacks). When it detects a zombie flood, FortiDDoS blocks all new connection requests for the configured blocking period. In order to be effective, the new-connections threshold should always be higher than the syn threshold. We recommend that you use the FortiDDoS generated threshold unless you have a specific reason to change it.

Prerequisite: A TCP Profile with following settings should be linked to generate SYN Flood scenario: SYN Flood Mitigation => Enabled

TCP Session Feature Control : SYN Validation => Enabled

Drop Monitor: Flood Drops > Layer 4

Traffic Monitor:

Layer 3/4/7 > Layer 4 > Other

SYN Per Source

Packet/second rate of SYN packets from any one source. No single source in an SPP is allowed to exceed this threshold. Threshold for a SYN Flood from Source event. The system applies the blocking period for identified sources. Only SYNs from identified source will be blocked

Drop Monitor: Flood Drops > Layer 4

Traffic Monitor:

Layer 3/4/7 > Layer 4 > SYN

Most Active Source

Packet/second rate for the most active source. A source that sends packets at a rate that surpasses this threshold is considered a threat. Threshold for a source flood. No single source in an SPP is allowed to exceed this threshold, and the system applies the blocking period for identified sources. All traffic from identified source will be blocked

Drop Monitor: Flood Drops > Layer 3

Traffic Monitor:

Layer 3/4/7 > Layer 3 > Sources

Concurrent Connections Per Source

Count of TCP connections from a single source. The TCP connection counter is incremented when a connection moves to the established state and decremented when a session is timed out or closes. This threshold is used to identify suspicious source IP behavior. An inordinate number of connections is a symptom of both slow and fast TCP connection attacks. The system applies the blocking period for identified sources for SYN (session initiation). If the aggressive aging high-concurrent-connection-per-source option is enabled, the system also sends a TCP RST to the server to reset the connection.

Drop Monitor: Flood Drops > Layer 4

Traffic Monitor:

Layer 3/4/7 > Layer 4 > Other

SYN Per Destination

Packet/second rate for SYN packets to a single destination. When the per-destination limits are exceeded for a particular destination, the SYN flood mitigation mode tests are applied to all new connection requests to that particular destination. Traffic to other destinations is not subject to the tests. The system applies the blocking period for identified sources.

Prerequisite: A TCP Profile with following settings should be linked to generate SYN Flood scenario: SYN Flood Mitigation => Enabled

TCP Session Feature Control : SYN Validation => Enabled

Drop Monitor: Flood Drops > Layer 4

Traffic Monitor:

Layer 3/4/7 > Layer 4 > SYN

HTTP Method Per Source

Packet/second rate for Method packets (GET, HEAD, OPTION, POST, etc) from a single Source. When the per-source limits are exceeded for a particular source, the system applies the blocking period for identified sources sending HTTP traffic. The connection to the server may also be RST if Protection Profiles > SPP Settings > TCP Tab: Aggressive Aging TCP Connections Feature Control: Layer 7 Flood is enabled.

Drop Monitor: Flood Drops > Layer 7

Traffic Monitor:

Layer 3/4/7 > Layer 7 > HTTP

Most Active Destination

Packet/second rate for the most active destination. A destination that is sent packets at this rate is considered under attack. Threshold for a destination flood.

Drop Monitor: Flood Drops > Layer 3

Traffic Monitor:

Layer 3/4/7 > Layer 3 > Destinations

OTH Fragment

Packet/second rate of fragmented packets received for Protocols Except TCP and UDP. Although the IP specification allows IP fragmentation, excessive fragmented packets can cause some systems to hang or crash.

Drop Monitor: Flood Drops > Layer 3

Traffic Monitor:

Layer 3/4/7 > Layer 3 > Other

UDP Fragment

Packet/second rate of UDP fragmented packets received. Although the IP specification allows IP fragmentation, excessive fragmented packets can cause some systems to hang or crash.

Drop Monitor: Flood Drops > Layer 3

Traffic Monitor:

Layer 3/4/7 > Layer 3 > Other

TCP Fragment

Packet/second rate of TCP fragmented packets received. Although the IP specification allows IP fragmentation, excessive fragmented packets can cause some systems to hang or crash.

Drop Monitor: Flood Drops > Layer 3

Traffic Monitor:

Layer 3/4/7 > Layer 3 > Other

DNS Query UDP

Queries/second. Threshold for a DNS Query Flood event for traffic over UDP.

Prerequisite: A DNS Profile should be linked to SPP rule

Drop Monitor: Flood Drops > Layer 7

Traffic Monitor:

Layer 3/4/7 > Layer 7 > DNS

DNS Query TCP

Queries/second. Threshold for a DNS Query Flood event for traffic over TCP.

Prerequisite: A DNS Profile should be linked to SPP rule

Drop Monitor: Flood Drops > Layer 7

Traffic Monitor:

Layer 3/4/7 > Layer 7 > DNS

DNS Question Count UDP

Question count/second. Threshold for a DNS Question Flood over UDP event.

Prerequisite: A DNS Profile should be linked to SPP rule

Drop Monitor: Flood Drops > Layer 7

Traffic Monitor:

Layer 3/4/7 > Layer 7 > DNS

DNS MX Count UDP

Question count/second. Threshold for a DNS Question Flood over TCP event.

Prerequisite: A DNS Profile should be linked to SPP rule

Drop Monitor: Flood Drops > Layer 7

Traffic Monitor:

Layer 3/4/7 > Layer 7 > DNS

DNS MX Count UDP

Packet/second rate of DNS queries for MX records (QTYPE=15). Threshold for a DNS MX Flood over UDP event.

Prerequisite: A DNS Profile should be linked to SPP rule

Drop Monitor: Flood Drops > Layer 7

Traffic Monitor:

Layer 3/4/7 > Layer 7 > DNS

DNS MX Count TCP

Packet/second rate of DNS queries for MX records (QTYPE=15). Threshold for a DNS MX Flood over TCP event.

Prerequisite: A DNS Profile should be linked to SPP rule

Drop Monitor: Flood Drops > Layer 7

Traffic Monitor:

Layer 3/4/7 > Layer 7 > DNS

DNS ALLUDP

Packet/second rate of DNS queries for all DNS records (QTYPE=255). Threshold for a DNS ALL Flood over UDP event.

Prerequisite: A DNS Profile should be linked to SPP rule

Drop Monitor: Flood Drops > Layer 7

Traffic Monitor:

Layer 3/4/7 > Layer 7 > DNS

DNS ALLTCP

Packet/second rate of DNS queries for all DNS records (QTYPE=255). Threshold for a DNS ALL Flood over TCP event.

Prerequisite: A DNS Profile should be linked to SPP rule

Drop Monitor: Flood Drops > Layer 7

Traffic Monitor:

Layer 3/4/7 > Layer 7 > DNS

DNS Zone Transfer TCP

Packet/second rate of DNS zone transfer (AXFR) queries (QTYPE=252). Threshold for a DNS Zone Transfer Flood event.

Prerequisite: A DNS Profile should be linked to SPP rule

Drop Monitor: Flood Drops > Layer 7

Traffic Monitor:

Layer 3/4/7 > Layer 7 > DNS

DNS Fragment UDP

Packet/second rate of fragmented packets received. Threshold for a DNS Fragment Flood over UDP event.

Prerequisite: A DNS Profile should be linked to SPP rule

Drop Monitor: Flood Drops > Layer 7

Traffic Monitor:

Layer 3/4/7 > Layer 7 > DNS

DNS Fragment TCP

Packet/second rate of fragmented packets received. Threshold for a DNS Fragment Flood over TCP event.

Prerequisite: A DNS Profile should be linked to SPP rule

Drop Monitor: Flood Drops > Layer 7

Traffic Monitor:

Layer 3/4/7 > Layer 7 > DNS

DNS Query Per Source

Packet/second rate of normal DNS queries from any one source. No single source in an SPP is allowed to exceed this threshold. Threshold for a DNS Query Per Source flood event. The system applies the blocking period for identified sources.

Prerequisite: A DNS Profile should be linked to SPP rule with DNS Source blocking feature set to Enable

Drop Monitor: Flood Drops > Layer 7

Traffic Monitor:

Layer 3/4/7 > Layer 7 > DNS

DNS Packet Track Per Source

Packet/second rate of a source that demonstrates suspicious activity, a score based on heuristics that

  • count fragmented packets
  • response not found in DQRM
  • queries that generate responses with RCODE other than 0.

Threshold for a DNS Suspicious Sources flood event. The system applies the blocking period for identified sources.

Prerequisite: A DNS Profile should be linked to SPP rule with DNS Source blocking feature set to Enable

Drop Monitor: Flood Drops > Layer 7

Traffic Monitor:

Layer 3/4/7 > Layer 7 > DNS

NTP Request

Rate Limit of NTP Requests to or from the SPP

Drop Monitor: Flood Drops > Layer 7

Traffic Monitor:

Layer 3/4/7 > Layer 7 > NTP

NTP Response

Rate Limit of NTP Responses to or from the SPP.

Usage: This Threshold can be set for any environment but if FortiDDoS sees both Requests and Responses (symmetric traffic or both asymmetric links pass through FortiDDoS) the Unsolicited Response Anomaly feature above will respond to NTP Response Floods faster than this Thresholds. These is no harm in using both. If FortiDDoS is in Asymmetric Mode, use this Threshold and DISABLE the NTP Unsolicited Response Anomaly.

Note: NTP Response attacks are common. Always set a Response Threshold or use NTP Unsolicited Response (NRM) Anomaly.

Drop Monitor: Flood Drops > Layer 7

Traffic Monitor:

Layer 3/4/7 > Layer 7 > NTP

NTP Broadcast

Rate Limit of NTP Broadcast packets to or from the SPP.

Usage:.You should never see NTP Broadcast packets on public networks. If, during Learning/Detection Mode, you see these in either direction, examine the protected IPs involved to see if they are originating, terminating or spoofed. Unless you know you are broadcasting for some reason, this Thresholds can be set to zero.

Drop Monitor: Flood Drops > Layer 7

Traffic Monitor:

Layer 3/4/7 > Layer 7 > NTP

NTP Response Per Destination

Rate Limit of NTP Responses per individual Destination.

Usage: This Threshold can be set for any environment. This threshold will normally be less than or equal to the “Response Threshold” above. If FortiDDoS sees both Requests and Responses (symmetric traffic or both asymmetric links pass through FortiDDoS) the Unsolicited Response Anomaly feature above will respond to NTP Response per Destination Floods faster than this Thresholds. These is no harm in using both.

If FortiDDoS is in Asymmetric Mode, use this Threshold and DISABLE the NTP Unsolicited Response anomaly.

Drop Monitor: Flood Drops > Layer 7

Traffic Monitor:

Layer 3/4/7 > Layer 7 > NTP

DTLS Client Hello Per Source

Rate limit of DTLS Client Hello messages sent per Source.

Drop Monitor: Flood Drops > Layer 7

Traffic Monitor:

Layer 3/4/7 > Layer 7 > DTLS

DTLS Server Hello Per Source

Rate limit of DTLS Server Hello messages sent per Source.

Drop Monitor: Flood Drops > Layer 7

Traffic Monitor:

Layer 3/4/7 > Layer 7 > DTLS

DTLS Server Hello Per Destination

Rate limit of DTLS Server Hello messages sent per Destination.

Drop Monitor: Flood Drops > Layer 7

Traffic Monitor:

Layer 3/4/7 > Layer 7 > DTLS

Scalar Drop for Asymmetric Mode only

with Asymmetric Mode Allow Inbound Synack enabled

SYN/ACK in Asym Mode

Rate limit of inbound SYN/ACKs when in Asymmetric Mode

Note: This Threshold must be set manually. Please observe Traffic Monitor > Layer 3/4/7 > Layer 4 > SYN: SYN-ACK graph to determine peak traffic rate and multiple 2x for Threshold.

Drop Monitor: Flood Drops >

Layer 4

Traffic Monitor:

Layer 3/4/7 > Layer 4 > SYN

SYN/ACK per Destination in Asym Mode

Rate limit of inbound SYN/ACKs per Destination when in Asymmetric Mode

Note: This Threshold must be set manually. Please observe Traffic Monitor > Layer 3/4/7 > Layer 4 > SYN: SYN-ACK per Destination graph to determine peak traffic rate and multiple 2x for Threshold.

Drop Monitor: Flood Drops >

Layer 4

Traffic Monitor:

Layer 3/4/7 > Layer 4 > SYN

DNSSEC Response UDP Asym

Asymmetric Mode SPP aggregate rate limit Threshold for inbound DNSSEC UDP Response packets (from UDP port 53 with Resource Record 41 (Option) fields.

In Asymmetric Mode, DQRM and DNSSEC Message Type Match or DNSSEC Require Response After Query cannot be used and this Threshold offers protection.

When using this Threshold, Enable Service Protection > DNS Profile (used with the applicable SPP) > DNS Message IP Fragment Try Best. This feature parses fragmented Response packet to determine if they are DNSSEC.

This is a manual Threshold and must be set by the user. In Asymmetric Mode, go to Monitor: TRAFFIC MONITOR > Layer 3/4/7 > Select SPP > Layer 7 and scroll to DNSSEC graph. This graph will only appear if system is in Asymmetric Mode.

Observe the PEAK traffic of the UDP Asymmetric Response Ingress Max Packet Rate/Sec over a reasonable period of time (1-Week to 1-Month).

Multiply the PEAK rate by 2 and use this rate as the Inbound Threshold for this Scalar. No Outbound Threshold is available.

Drop Monitor: Flood Drops >

Layer 4

Traffic Monitor:

Layer 3/4/7 > Layer 4 > SYN

DNSSEC Response UDP Asym Source

Asymmetric Mode per Source IP rate limit Threshold for inbound DNSSEC UDP Response per Source packets (from UDP port 53 with Resource Record 41 (Option) fields.

In Asymmetric Mode, DQRM and DNSSEC Message Type Match or DNSSEC Require Response After Query cannot be used and this Threshold offers protection.

When using this Threshold, enable Service Protection > DNS Profile (used with the applicable SPP) > DNS Message IP Fragment Try Best. This feature parses fragmented Response packet to determine if they are DNSSEC.

This is a manual Threshold and must be set by the user. In Asymmetric Mode, go to Monitor: TRAFFIC MONITOR > Layer 3/4/7 > Select SPP > Layer 7 and scroll to DNSSEC graph. This graph will only appear if system is in Asymmetric Mode.

Observe the PEAK traffic of the UDP Asymmetric Response per Source Ingress Max Packet Rate/Sec over a reasonable period of time (1-Week to 1-Month).

Multiply the PEAK rate by 2 and use this rate as the Inbound Threshold for this Scalar. No Outbound Threshold is available.

Drop Monitor: Flood Drops >

Layer 4

Traffic Monitor:

Layer 3/4/7 > Layer 4 > SYN

DNSSEC Response UDP Asym Destination

Asymmetric Mode per Source IP rate limit Threshold for inbound DNSSEC UDP Response per Destination packets (from UDP port 53 with Resource Record 41 (Option) fields.

In Asymmetric Mode, DQRM and DNSSEC Message Type Match or DNSSEC Require Response After Query cannot be used and this Threshold offers protection.

When using this Threshold, enable Service Protection > DNS Profile (used with the applicable SPP) > DNS Message IP Fragment Try Best. This feature parses fragmented Response packet to determine if they are DNSSEC.

This is a manual Threshold and must be set by the user. In Asymmetric Mode, go to Monitor: TRAFFIC MONITOR > Layer 3/4/7 > Select SPP > Layer 7 and scroll to DNSSEC graph. This graph will only appear if system is in Asymmetric Mode.

Observe the PEAK traffic of the UDP Asymmetric Response per Destination Ingress Max Packet Rate/Sec over a reasonable period of time (1-Week to 1-Month).

Multiply the PEAK rate by 2 and enter this rate as the Inbound Threshold for this Scalar. No Outbound Threshold is available.

Drop Monitor: Flood Drops >

Layer 4

Traffic Monitor:

Layer 3/4/7 > Layer 4 > SYN

HTTP Methods

HTTP/1.1 uses the following set of common methods:

  • GET
  • HEAD
  • OPTIONS
  • TRACE
  • POST
  • PUT
  • DELETE
  • CONNECT

Packet/second rate for the specified HTTP method. Threshold for an HTTP method flood attack. When the maximum rate is reached, the system drops packets matching the parameter. If the aggressive aging layer7-flood option is enabled, the system also sends a TCP RST to the server to reset the connection.

Drop Monitor: Flood Drops > Layer 7

Traffic Monitor:

Layer 3/4/7 > Layer 7 > HTTP

Protocols

Protocol Start / End

Packet/second rate for the specified protocol (0-255). Threshold for a Protocol Flood event.

When you specify a threshold for protocols, enter a range, even if you are specifying a threshold for a single protocol. For example, to set a threshold for protocol 6, enter 6 for both Protocol Start and Protocol End.

Drop Monitor: Flood Drops > Layer 3

Traffic Monitor:

Layer 3/4/7 > Layer 3 > Protocols

TCP Ports

Port Start / End

Packet/second rate for the specified TCP port (0-65535). Threshold for a Port Flood event. Monitoring the packet rate for ports is helpful to prevent floods against a specific application such as HTML, FTP, SMTP or SQL. TCP accommodates 64K (65,536) ports, most of which may never be used by a particular server. Conversely, a server might see most or all of its traffic on a small group of TCP ports. For this reason, globally assigning a single threshold to all ports generally does not provide useful protection. However, you can globally set a (usually low) TCP Port Threshold for all TCP ports and then manually configure a higher threshold for the ports your protected network is using. When you specify a threshold for ports, you enter a range, even if you are specifying a threshold for a single port. For example, to set a threshold for port 8080, enter 8080 for both Port Start and Port End.

Drop Monitor: Flood Drops > Layer 4

Traffic Monitor:

Layer 3/4/7 > Layer 4 > TCP Ports

UDP Ports

Port Start / End

Packet/second rate for the specified UDP port (0-65535). Threshold for a Port Flood event.

When you specify a threshold for ports, you enter a range, even if you are specifying a threshold for a single port. For example, to set a threshold for port 53, enter 53 for both Port Start and Port End.

Drop Monitor: Flood Drops > Layer 4

Traffic Monitor:

Layer 3/4/7 > Layer 4 > UDP Ports

ICMP Types/Codes

ICMP Type/Code Start/End

Packet/second rate for the specified ICMP type/code range (0:0-255:255). The ICMP header includes an 8-bit type field, followed by an 8-bit code field. Threshold for an ICMP Type/Code Flood event.

A popular use for ICMP is the “Echo groping” message (type 8) and its corresponding reply (type 0), which are often useful tools to test connectivity and response time. In some cases, this message and reply can also be used as an attack weapon to effectively disable a target system’s network software. Take care when you set the ICMP type 0 and type 8 thresholds to ensure the desired functionality is preserved.

Drop Monitor: Flood Drops > Layer 4

Traffic Monitor:

Layer 3/4/7 > Layer 4 > Other

HTTP Headers

URL

Packet/second rate for packets with the specified URL match. When the maximum rate is reached, the system drops packets matching the parameter. If the aggressive aging layer7-flood option is enabled, the system also sends a TCP RST to the server to reset the connection.

Specify the URL for a specific website. Botnets make it easy to launch attacks on specific URLs. When such an attack happens, FortiDDoS can isolate the URL and limit just the traffic that is associated with it, while all other traffic is unaffected. The URL is found in the website’s HTTP GET or POST operations. For example, the URL for http://www.website.com/index.html is /index.html.

When you specify a threshold for a URL, the system generates a corresponding hash index value. FortiDDoS displays the hash index value in the list of URL thresholds. Make note of it. You can use the hash value to select this URL elsewhere in the web UI. To view statistics associated with the threshold, go to Monitor > Specific Graphs > URLs, and then for Please enter URL/Hash index, enter either the original URL you specified or the hash index value.

The valid range of hash index values for URLs is 0-64k per SPP.

You can use the special prefix sys_reco_v to create hash index ranges that aggregate URLs that you are interested in only as an aggregate. For example, assume your team wants to pay close attention to a five websites, and all others can be treated essentially the same. With the first five, your configuration is specific, so you know the website URL and the corresponding hash index, and you can use FortiDDoS to track it specifically. The system does not track the others with specificity, but you can track, as an aggregate, whether those sites experience rising and falling rates, including attacks. Create entries for the five priority websites and note their hash index numbers. Let’s assume the hash index numbers are 1, 20, 21, 39, 40.

  1. Create ranges to aggregate the gaps:
    1. The first gap is from 2-19, so you create a configuration named sys_reco_v2_19. This includes hash numbers 2 through 19.
    2. The second gap is from 22-38, so you create a configuration named sys_reco_v22_38.
    3. The next gap is from 41 to the end of the range, so you create a configuration named sys_reco_v41_8192.

Note: You cannot carve out a small block out of a large block. If you want to use hash index values that are already in use, you must delete the existing range and then create two ranges.

Drop Monitor: Flood Drops > Layer 7

Traffic Monitor:

Layer 3/4/7 > Layer 7 > HTTP

Host, Referer, Cookie, User-Agent headers

Packet/second rate for packets with the specified header matches. When the maximum rate is reached, the system drops packets matching the parameter. If the aggressive aging layer7-flood option is enabled, the system also sends a TCP RST to the server to reset idle connections. A connection is deemed idle if it has not sent traffic in the last 2 minutes.

Specify HTTP header values. With the advent of botnets, it is easy to launch attacks using scripts. Most of the scripts use the same code. The chances that they all use the same Host, Referer, Cookie, or User-Agent header fields is very high. When such an attack happens, FortiDDoS can easily isolate the four headers among many and limit traffic associated with that specific header, while all other traffic is unaffected.

As with URL hash indexes, you can use the sys_reco_v prefix to define hash index ranges that aggregate header values you are not specifically interested in.

The valid range of hash index values is 0-511 for each setting for each SPP: Host, Referer, Cookie, User-Agent

Drop Monitor: Flood Drops > Layer 7

Traffic Monitor:

Layer 3/4/7 > Layer 7 > HTTP

DNS Response Codes

Rcode start-Rcode end

Packet/second rate for the specified DNS Response code (0-15). Threshold for DNS Response code Flood event.

Drop Monitor: Flood Drops > Layer 7

Traffic Monitor:

Layer 3/4/7 > Layer 7 > DNS

To configure using the CLI:

config ddos spp rule

edit <spp_name>

config scalar-threshold

edit <threshold_name>

set scalar-type {syn |syn-per-src | most-active-source | concurrent-connections-per-source | most-active-destination | method-per-source | oth-fragment | udp-fragment | tcp-fragment | new-connections | syn-per-dst | dns-query-udp | dns-query-tcp | dns-question-count-udp | dns-question-count-tcp | dns-mx-count-udp | dns-mx-count-tcp | dns-all-udp | dns-all-tcp | dns-zone-xfer-tcp | dns-fragment-udp | dns-fragment-tcp | dns-query-per-src | dns-packet-track-per-src | ntp-req | ntp-resp | ntp-bcast | ntp-resp-per-dst}

set inbound-threshold <integer>

set outbound-threshold <integer>

next

end

config protocol-threshold

edit <threshold_name>

set protocol-start <protocol_int>

set protocol-end <protocol_int>

set inbound-threshold <integer>

set outbound-threshold <integer>

next

end

config http-method-threshold

edit <threshold_name>

set method { get |head| options | trace | post | put | delete | connect }

set inbound-threshold <integer>

set outbound-threshold <integer>

next

end

config tcp-port-threshold

edit <threshold_name>

set port-start <port_int>

set port-end <port_int>

set inbound-threshold <integer>

set outbound-threshold <integer>

next

end

config udp-port-threshold

edit <threshold_name>

set port-start <port_int>

set port-end <port_int>

set inbound-threshold <integer>

set outbound-threshold <integer>

next

end

config icmp-type-code-threshold

edit <threshold_name>

set icmp-type-start <type_int>

set icmp-code-start <code_int>

set icmp-type-end <type_int>

set icmp-code-end <code_int>

set inbound-threshold <integer>

set outbound-threshold <integer>

next

end

config http-url-threshold

edit <threshold_name>

set url <url_string>

set inbound-threshold <integer>

set outbound-threshold <integer>

next

end

config http-host-threshold

edit <threshold_name>

set host <host_string>

set inbound-threshold <integer>

set outbound-threshold <integer>

next

end

config http-referer-threshold

edit <threshold_name>

set referer <referer_string>

set inbound-threshold <integer>

set outbound-threshold <integer>

next

end

config http-cookie-threshold

edit <threshold_name>

set cookie <cookie_string>

set inbound-threshold <integer>

set outbound-threshold <integer>

next

end

config http-user-agent-threshold

edit <threshold_name>

set user-agent <user-agent_string>

set inbound-threshold <integer>

set outbound-threshold <integer>

next

end

config dns-rcode-threshold

edit <threshold_name>

set rcode-start <rcode_int>

set rcode-end <rcode_int>

set inbound-threshold <integer>

set outbound-threshold <integer>

next

end

next

end