Fortinet black logo

Handbook

DDoS attack mitigation mechanisms

Copy Link
Copy Doc ID 7b437c33-fcc7-11ec-bb32-fa163e15d75b:697373
Download PDF

DDoS attack mitigation mechanisms

If you are new to FortiDDoS, you must first understand the tools available in your tool chest for Distributed Denial of Service (DDoS) attack mitigation. Since DDoS attacks can be of various types, FortiDDoS has a wide spectrum of capabilities for different attack types.

FortiDDoS supports the following type of countermeasures:

These can be used for deployment in the order below:

Administrative Countermeasures

Security policies, general procedures, accepted safety guidelines and so on are considered as Administrative Countermeasures. These depend on the organizations that use FortiDDoS. Examples of Administrative countermeasures are restricting IP addresses for managing FortiDDoS and restricting access authorization to different users based on their roles. This should be the first set of decisions made while designing a FortiDDoS deployment.

Preventive Countermeasures

Proactive measures fall under prevention category. These include stringent security policies that can protect the system from unwanted activities. Examples of these include IP Reputation Service, Domain Reputation Service, Geo-location ACLs, BCP-38 anti-spoofing, maintaining network hygiene by blocking unwanted protocols, ports and IP ranges and so on. These should be designed and used as the second step in the deployment.

Preventive Countermeasures Description
Service Protection Policy (SPP) This is a fundamental architectural component of FortiDDoS which ensures isolation. Every SPP, which is configured using a set of subnets/prefixes, has its own set of policies. This ensures that an attack on one SPP doesn’t impact the others.
For more information about configuring SPPs, see here.
Directional Protection Attack mitigation in FortiDDoS is directional. Thus, an attack in one direction doesn’t impact the other.
IP Reputation Service The FortiGuard IP Reputation Service aggregates malicious source IP data from the Fortinet distributed network of threat sensors, CERTs, MITRE, cooperative competitors, and other global sources that collaborate to provide up-to-date threat intelligence about hostile sources. Near real-time intelligence from distributed network gateways combined with world-class research from FortiGuard Labs helps organizations stay safer and proactively block attacks.
For more information about configuring IP Reputation Service, see here.
Domain Reputation Service The FortiGuard Domain Reputation Service provides a regularly updated list of known malicious fully qualified domain names (FQDNs). This service is used to prevent DNS servers from reaching known malicious sites and helps prevent attacks that obfuscate source IPs using hijacked domain names.
For more information about configuring Domain Reputation Service, see here.
Blocklisted IP addresses This feature helps you to deny a large set of blocklisted IPv4 Addresses.
For more information about configuring blocklisted IP addresses, see here.
Blocklisted DNS domains This feature helps you to deny a large set of blocklisted Domains.
For more information about configuring blocklisted DNS domains, see here.
Geo-location access control list The geolocation policy feature enables you to block traffic from the countries you specify, as well as anonymous proxies and satellite providers, whose geolocation is unknown.
For more information about configuring Geo-location access control list, see here.
Access control list for addresses This feature allows you to block addresses, subnets, prefixes reaching a protected address.
For more information about configuring Access control list for addresses, see here.
Access control list for services This feature allows you to block services (such as protocols, ports, network parameters such as fragmentation, URLs, user-agents, etc.).
For more information about configuring Access control list for services, see here.
Proxy IP settings Enabling proxy IP settings avoids false detection of attacks for certain IPs.
For more information about configuring Proxy IP settings, see here.

Detective countermeasures

A DDoS attack must be detected within the shortest time possible as accurate as it can be. A DDoS attack mitigation system must be able to separate legitimate packets from attack packets. This ensures that legitimate clients are served during attack. Examples of detective countermeasures include anomalies such as header, state, rate and so on. Other reactive countermeasures include similarity detection such as packet-length statistics.

Detective Countermeasures Description
Rate anomaly detection using continuously adaptive threshold violation This is the most well-known feature of FortiDDoS. This ensures that a single packet type (say SYN, or packet for a certain protocol or port) cannot exceed previously observed thresholds.
Slow attack detection Apart from detecting fast attacks, FortiDDoS can also monitor attacks that are too slow but dangerous for servers via connection table overload.
Protocol header anomaly detection This is done for 3, 4 and 7 protocols. Mitigation includes IPv4/v6, TCP, UDP, ICMP, DNS and HTTP header anomalies.
State anomaly detection FortiDDoS maintains multiple state tables to ensure that protocol state transitions are not violated. These include:
  • TCP state table - This can identify attacks such as foreign packets, ACK flood, RST flood, FIN flood etc.
  • DNS query response matching table
  • DNS TTL table

Reactive countermeasures

After detecting an attack, the system need to take necessary actions to mitigate the attack. Examples of reactive mechanisms in FortiDDoS include rate limiting, selective packet dropping, aggressive aging, anti-spoofing, source tracking and so on. These are mostly event-driven countermeasures.

Reactive Countermeasures Description
Rate Based There are two types of attack mitigation:
  • High Rate Attack Mitigation: Some attacks are identified if they exceed the rate thresholds set by the administrator. Such thresholds can be selectively set on a wide variety of parameters. They get adaptively adjusted over time based on average, trend and seasonality. This is the most well-known feature of FortiDDoS which ensures that a single packet type (say SYN, or packet for a certain protocol or port) cannot exceed previously observed thresholds.
  • Slow Rate Attack Mitigation: Some attacks are identified if they are too slow to be real traffic. The administrator can set thresholds for such determination.
Aggressive Aging FortiDDoS can detect slow connection attacks and combat them by “aggressively aging” idle connections. In addition to the slow connection detection, you can use the SPP aggressive aging TCP connection feature control options to reset the connection (instead of just dropping the packets) when the following rate anomalies are detected:
  • high-concurrent-connection-per-source
  • layer7-flood
FortiDDoS maintains its own massive TCP connection table and to reserve space in this table for active traffic, FortiDDoS periodically uses aggressive aging to reset inactive connections.

For more information about the above features, see here.
Anti-spoofing This is done via the following Source Address Validation schemes:
  • SYN cookie
  • ACK cookie
  • SYN Retransmission
  • DNS Retransmission (DNS TC=1)
  • Source tracking - This isolates an offending source IP specifically via a differential punishment scheme.
  • Caching - In case of DNS, under-flood, this technique is used to respond to the client using data from the cache.

Mitigation Strategies

FortiDDoS supports the following mitigation strategies:

  • Standalone mitigation
    • The appliance acts standalone and mitigates DDoS attacks up to the bandwidth of the pipe.
  • Hybrid mitigation
    • With another FortiDDoS in the cloud - If your service provider allows another high-end FortiDDoS ahead of the pipe, FortiDDoS in the data center can communicate with the FortiDDoS in the service provider network and mitigate higher bandwidth attacks.
    • With a cloud scrubbing service in the cloud - FortiDDoS in the data center can signal third-party scrubbing services and mitigate bandwidth attacks collaboratively. While the cloud scrubbing center can mitigate layer 3 and layer 4 attacks, FortiDDoS in the data center can mitigate residual attacks such as application layer, slow attacks which cannot be mitigated in the cloud.

DDoS attack mitigation mechanisms

If you are new to FortiDDoS, you must first understand the tools available in your tool chest for Distributed Denial of Service (DDoS) attack mitigation. Since DDoS attacks can be of various types, FortiDDoS has a wide spectrum of capabilities for different attack types.

FortiDDoS supports the following type of countermeasures:

These can be used for deployment in the order below:

Administrative Countermeasures

Security policies, general procedures, accepted safety guidelines and so on are considered as Administrative Countermeasures. These depend on the organizations that use FortiDDoS. Examples of Administrative countermeasures are restricting IP addresses for managing FortiDDoS and restricting access authorization to different users based on their roles. This should be the first set of decisions made while designing a FortiDDoS deployment.

Preventive Countermeasures

Proactive measures fall under prevention category. These include stringent security policies that can protect the system from unwanted activities. Examples of these include IP Reputation Service, Domain Reputation Service, Geo-location ACLs, BCP-38 anti-spoofing, maintaining network hygiene by blocking unwanted protocols, ports and IP ranges and so on. These should be designed and used as the second step in the deployment.

Preventive Countermeasures Description
Service Protection Policy (SPP) This is a fundamental architectural component of FortiDDoS which ensures isolation. Every SPP, which is configured using a set of subnets/prefixes, has its own set of policies. This ensures that an attack on one SPP doesn’t impact the others.
For more information about configuring SPPs, see here.
Directional Protection Attack mitigation in FortiDDoS is directional. Thus, an attack in one direction doesn’t impact the other.
IP Reputation Service The FortiGuard IP Reputation Service aggregates malicious source IP data from the Fortinet distributed network of threat sensors, CERTs, MITRE, cooperative competitors, and other global sources that collaborate to provide up-to-date threat intelligence about hostile sources. Near real-time intelligence from distributed network gateways combined with world-class research from FortiGuard Labs helps organizations stay safer and proactively block attacks.
For more information about configuring IP Reputation Service, see here.
Domain Reputation Service The FortiGuard Domain Reputation Service provides a regularly updated list of known malicious fully qualified domain names (FQDNs). This service is used to prevent DNS servers from reaching known malicious sites and helps prevent attacks that obfuscate source IPs using hijacked domain names.
For more information about configuring Domain Reputation Service, see here.
Blocklisted IP addresses This feature helps you to deny a large set of blocklisted IPv4 Addresses.
For more information about configuring blocklisted IP addresses, see here.
Blocklisted DNS domains This feature helps you to deny a large set of blocklisted Domains.
For more information about configuring blocklisted DNS domains, see here.
Geo-location access control list The geolocation policy feature enables you to block traffic from the countries you specify, as well as anonymous proxies and satellite providers, whose geolocation is unknown.
For more information about configuring Geo-location access control list, see here.
Access control list for addresses This feature allows you to block addresses, subnets, prefixes reaching a protected address.
For more information about configuring Access control list for addresses, see here.
Access control list for services This feature allows you to block services (such as protocols, ports, network parameters such as fragmentation, URLs, user-agents, etc.).
For more information about configuring Access control list for services, see here.
Proxy IP settings Enabling proxy IP settings avoids false detection of attacks for certain IPs.
For more information about configuring Proxy IP settings, see here.

Detective countermeasures

A DDoS attack must be detected within the shortest time possible as accurate as it can be. A DDoS attack mitigation system must be able to separate legitimate packets from attack packets. This ensures that legitimate clients are served during attack. Examples of detective countermeasures include anomalies such as header, state, rate and so on. Other reactive countermeasures include similarity detection such as packet-length statistics.

Detective Countermeasures Description
Rate anomaly detection using continuously adaptive threshold violation This is the most well-known feature of FortiDDoS. This ensures that a single packet type (say SYN, or packet for a certain protocol or port) cannot exceed previously observed thresholds.
Slow attack detection Apart from detecting fast attacks, FortiDDoS can also monitor attacks that are too slow but dangerous for servers via connection table overload.
Protocol header anomaly detection This is done for 3, 4 and 7 protocols. Mitigation includes IPv4/v6, TCP, UDP, ICMP, DNS and HTTP header anomalies.
State anomaly detection FortiDDoS maintains multiple state tables to ensure that protocol state transitions are not violated. These include:
  • TCP state table - This can identify attacks such as foreign packets, ACK flood, RST flood, FIN flood etc.
  • DNS query response matching table
  • DNS TTL table

Reactive countermeasures

After detecting an attack, the system need to take necessary actions to mitigate the attack. Examples of reactive mechanisms in FortiDDoS include rate limiting, selective packet dropping, aggressive aging, anti-spoofing, source tracking and so on. These are mostly event-driven countermeasures.

Reactive Countermeasures Description
Rate Based There are two types of attack mitigation:
  • High Rate Attack Mitigation: Some attacks are identified if they exceed the rate thresholds set by the administrator. Such thresholds can be selectively set on a wide variety of parameters. They get adaptively adjusted over time based on average, trend and seasonality. This is the most well-known feature of FortiDDoS which ensures that a single packet type (say SYN, or packet for a certain protocol or port) cannot exceed previously observed thresholds.
  • Slow Rate Attack Mitigation: Some attacks are identified if they are too slow to be real traffic. The administrator can set thresholds for such determination.
Aggressive Aging FortiDDoS can detect slow connection attacks and combat them by “aggressively aging” idle connections. In addition to the slow connection detection, you can use the SPP aggressive aging TCP connection feature control options to reset the connection (instead of just dropping the packets) when the following rate anomalies are detected:
  • high-concurrent-connection-per-source
  • layer7-flood
FortiDDoS maintains its own massive TCP connection table and to reserve space in this table for active traffic, FortiDDoS periodically uses aggressive aging to reset inactive connections.

For more information about the above features, see here.
Anti-spoofing This is done via the following Source Address Validation schemes:
  • SYN cookie
  • ACK cookie
  • SYN Retransmission
  • DNS Retransmission (DNS TC=1)
  • Source tracking - This isolates an offending source IP specifically via a differential punishment scheme.
  • Caching - In case of DNS, under-flood, this technique is used to respond to the client using data from the cache.

Mitigation Strategies

FortiDDoS supports the following mitigation strategies:

  • Standalone mitigation
    • The appliance acts standalone and mitigates DDoS attacks up to the bandwidth of the pipe.
  • Hybrid mitigation
    • With another FortiDDoS in the cloud - If your service provider allows another high-end FortiDDoS ahead of the pipe, FortiDDoS in the data center can communicate with the FortiDDoS in the service provider network and mitigate higher bandwidth attacks.
    • With a cloud scrubbing service in the cloud - FortiDDoS in the data center can signal third-party scrubbing services and mitigate bandwidth attacks collaboratively. While the cloud scrubbing center can mitigate layer 3 and layer 4 attacks, FortiDDoS in the data center can mitigate residual attacks such as application layer, slow attacks which cannot be mitigated in the cloud.