Fortinet white logo
Fortinet white logo

Handbook

Using the Flood Drops graphs

Using the Flood Drops graphs

Use the Flood Drops graphs to monitor drops due to SPP packet rate thresholds that detect flood attacks.

Customize the graph with the following viewing parameters: SPP, Reporting Period (1-hr to 1-yr), Linear/Logarithmic Y-Axis.

Placing the cursor on the Monitor graph will display a tool-tip with additional information.

For many parameters additional information will be see in the Traffic Monitor Graphs.

Before you begin:

  • You must have Read permission for the Monitor menu.
  • Refer to Reading Monitor graphs to understand the graphs in detail.
To display the graph:
  1. Go to Monitor > Drops Monitor > Flood Drops > [SPP] [Aggregate/Layer 3/4/7] [Y-Axis View] [Reporting Period].

The following summarizes the statistics displayed in the graphs.

Statistic

Description

Aggregate

Layer 3

Aggregation of drops due to SPP Layer 3 thresholds.

Layer 4

Aggregation of drops due to SPP Layer 4 thresholds.

Layer 7

Aggregation of drops due to SPP Layer 7 thresholds.

Layer 3

Protocols

Aggregation of drops due to protocols thresholds. These counters track the packet rate for each protocol.

Fragmented Packets

Drops due to the SPP Fragment thresholds (TCP/UDP/Other Protocols).

Source Flood

Drops due to the SPP Most Active Source (MAS) threshold. This counter tracks dropped packets from source IP addresses.

Destination Flood

Drops due to the SPP Most Active Destination (MAD) threshold. This counter tracks dropped packets to protected IP addresses.

Note: The Most Active Destination Threshold is set to system maximum by System Recommendations.

Layer 4

SYN

Drops due to the SPP SYN threshold. This counter shows drops due to SYN (Source IP) Validation for the aggregate rate of all SYNs into the SPP. Further SYN detail is available in the Traffic Monitor > Layer 4 graphs

SYN/ACK Flood in asymmetric mode

Drops due to the SPP inbound SYN/ACK threshold. This counter shows drops due to SYN/ACK for the aggregate over-threshold rate to all Protected Subnets within the SPP.

Note this Threshold is only available and graphed when:

  • FortiDDoS is in Asymmetric Mode with Asymmetric Mode Allow Inbound Synack enabled (Global Protection > Deployment)
  • SYN/ACK in Asym Mode Threshold is manually set per Service Protection Policy > Thresholds > Scalars

Further SYN/ACK in Asym Mode detail may be available in the Traffic Monitor > Layer 4 graphs.

SYN/ACK per Destination Flood in asymmetric mode

Drops due to the SPP inbound SYN/ACK per Destination threshold. This counter shows drops due to SYN/ACK per Destination for the over-threshold rate to any Protected IP within the SPP.

Note this Threshold is only available and graphed when:

  • System is in Asymmetric Mode with Asymmetric Mode Allow Inbound Synack enabled (Global Protection > Deployment)
  • SYN/ACK per Destination in Asym Mode Threshold is manually set per Service Protection Policy > Thresholds > Scalars

Further SYN/ACK per Destination in Asym Mode detail may be available in the Traffic Monitor > Layer 4 graphs.

TCP Ports

Aggregation of drops due to the SPP rate-limiting thresholds for TCP ports.

UDP Ports

Aggregation of drops due to the SPP rate-limiting thresholds for UDP ports.

ICMP Types/Codes

Aggregation of drops due to the SPP rate-limiting thresholds for ICMP types/codes.

Zombie Flood

Drops due to the SPP New Connections threshold, which sets a limit for legitimate IPs. FortiDDoS assumes a zombie flood is underway when the number of allowed legitimate IP addresses during a SYN flood exceeds a set threshold. These packets indicate that non-spoofed IP addresses are creating a DDoS attack by generating a large number SYN packets. Note: The New Connections Threshold is set to system maximum by System Recommendations.

SYN Per Source Flood

Drops due to the SPP SYN per Source threshold. This counter shows drops due to SYN per Source IP rate limiting within the SPP. No SYN Validation is done for SYN per Source. Further SYN per Source detail is available in the Traffic Monitor > Layer 4 graphs.

Connections Per Source

Drops due to the SPP Concurrent Connections per Source rate-limiting threshold.

SYN Per Destination

Drops due to the SPP SYN per Destination threshold. This counter shows drops due to SYN Validation for over-threshold Protected IPs (Destinations) within the SPP. Further SYN per Destination detail is available in the Traffic Monitor > Layer 4 graphs

Slow Connection

Drops due to SPP slow connection detection and blocking of identified sources of slow connection attacks.

Layer 7

Aggregate

Display of aggregate Flood drops for:

  • HTTP
  • SSL/TLS
  • DNS
  • NTP

HTTP

Display of Flood drops due to HTTP thresholds for:

  • Methods (GET, HEAD, OPTIONS, TRACE, POST, PUT, DELETE, CONNECT)
  • Method per Source (aggregation of any Methods per Source IP)
  • URL
  • Host
  • Referer
  • Cookie
  • User Agent

SSL/TLS

Display of drops from SSL/TLS Incomplete Request Source Flood.

DNS

Display of drops due to DNS thresholds:

  • Unsolicited DNS Response Drop - Drops when a DNS Response is received but there is no DNS Query entry in the DNS Query Response Matching (DQRM) table.
  • LQ Drops - Drops during any type of UDP Query Flood when the Query is not in the Legitimate Query (LQ) table.
  • TTL Drop - Drops during any type of UDP Query Flood when a source IP address sends a repeated DNS UDP Query for the same destination before the TTL has expired. It is expected that the query should not be repeated until the TTL expires.
  • Cache Drop - Drops during any type of UDP Query Flood when a response was served from the Cache or because a response was not found in the cache and the system is configured to drop such queries.
  • Spoofed IP Drop - Drops due UDP DNS anti-spoofing checks (Retransmission or TC=1/Force TCP)
  • Unexpected Query Drop - Drops due to Duplicate Query checks.
  • Query Per Source Drop - Drops due to the DNS UDP Query per Source threshold. This rate-limiting threshold tracks DNS UDP Query rates from source IP addresses and does not attempt Source or Query validation. .
  • Suspicious Sources Drop - Drops due to the UDP DNS Packet Track per Source threshold. This rate-limiting threshold tracks sources that demonstrate suspicious activity (a score based on heuristics that count fragmented packets, response not found in DQRM, or queries that generate responses with RCODE other than 0).
  • Fragment Drop - Drops due to rate-limiting DNS Fragment threshold for UDP traffic.
  • TCP Query Drop - Drops due to the rate-limiting DNS Query TCP threshold for TCP traffic
  • TCP Question Drop Drops due to the rate-limiting DNS Question Count TCP threshold for TCP traffic.
  • TCP MX Drop Drops due to the rate-limiting DNS MX Count TCP threshold for TCP traffic.
  • TCP All Drop Drops due to the rate-limiting DNS All TCP threshold for TCP traffic.
  • TCP Zone Transfer Drop - Drops due to the rate-limiting DNS Zone Transfer TCP threshold for TCP traffic.

NTP

Display of drops due to NTP thresholds:

  • Request Flood Drops - Drops due to rate-limiting NTP Request threshold
  • Response Flood Drops - Drops due to rate-limiting NTP Response threshold
  • Broadcast Packet Flood Drops - Drops due to rate-limiting NTP Broadcast threshold
  • Response per Destination Flood Drops - Drops due to rate-limiting NTP Response per Destination threshold

DTLS

Display of drops due to DTLS thresholds:

  • Client Hello Flood from Source
  • Server Hello Flood from Source
  • Server Hello Flood from Destination

Note: Drops for these Thresholds will not show unless manual Thresholds for these parameters are set via Service Protection Policy > Thresholds > Scalars

Using the Flood Drops graphs

Using the Flood Drops graphs

Use the Flood Drops graphs to monitor drops due to SPP packet rate thresholds that detect flood attacks.

Customize the graph with the following viewing parameters: SPP, Reporting Period (1-hr to 1-yr), Linear/Logarithmic Y-Axis.

Placing the cursor on the Monitor graph will display a tool-tip with additional information.

For many parameters additional information will be see in the Traffic Monitor Graphs.

Before you begin:

  • You must have Read permission for the Monitor menu.
  • Refer to Reading Monitor graphs to understand the graphs in detail.
To display the graph:
  1. Go to Monitor > Drops Monitor > Flood Drops > [SPP] [Aggregate/Layer 3/4/7] [Y-Axis View] [Reporting Period].

The following summarizes the statistics displayed in the graphs.

Statistic

Description

Aggregate

Layer 3

Aggregation of drops due to SPP Layer 3 thresholds.

Layer 4

Aggregation of drops due to SPP Layer 4 thresholds.

Layer 7

Aggregation of drops due to SPP Layer 7 thresholds.

Layer 3

Protocols

Aggregation of drops due to protocols thresholds. These counters track the packet rate for each protocol.

Fragmented Packets

Drops due to the SPP Fragment thresholds (TCP/UDP/Other Protocols).

Source Flood

Drops due to the SPP Most Active Source (MAS) threshold. This counter tracks dropped packets from source IP addresses.

Destination Flood

Drops due to the SPP Most Active Destination (MAD) threshold. This counter tracks dropped packets to protected IP addresses.

Note: The Most Active Destination Threshold is set to system maximum by System Recommendations.

Layer 4

SYN

Drops due to the SPP SYN threshold. This counter shows drops due to SYN (Source IP) Validation for the aggregate rate of all SYNs into the SPP. Further SYN detail is available in the Traffic Monitor > Layer 4 graphs

SYN/ACK Flood in asymmetric mode

Drops due to the SPP inbound SYN/ACK threshold. This counter shows drops due to SYN/ACK for the aggregate over-threshold rate to all Protected Subnets within the SPP.

Note this Threshold is only available and graphed when:

  • FortiDDoS is in Asymmetric Mode with Asymmetric Mode Allow Inbound Synack enabled (Global Protection > Deployment)
  • SYN/ACK in Asym Mode Threshold is manually set per Service Protection Policy > Thresholds > Scalars

Further SYN/ACK in Asym Mode detail may be available in the Traffic Monitor > Layer 4 graphs.

SYN/ACK per Destination Flood in asymmetric mode

Drops due to the SPP inbound SYN/ACK per Destination threshold. This counter shows drops due to SYN/ACK per Destination for the over-threshold rate to any Protected IP within the SPP.

Note this Threshold is only available and graphed when:

  • System is in Asymmetric Mode with Asymmetric Mode Allow Inbound Synack enabled (Global Protection > Deployment)
  • SYN/ACK per Destination in Asym Mode Threshold is manually set per Service Protection Policy > Thresholds > Scalars

Further SYN/ACK per Destination in Asym Mode detail may be available in the Traffic Monitor > Layer 4 graphs.

TCP Ports

Aggregation of drops due to the SPP rate-limiting thresholds for TCP ports.

UDP Ports

Aggregation of drops due to the SPP rate-limiting thresholds for UDP ports.

ICMP Types/Codes

Aggregation of drops due to the SPP rate-limiting thresholds for ICMP types/codes.

Zombie Flood

Drops due to the SPP New Connections threshold, which sets a limit for legitimate IPs. FortiDDoS assumes a zombie flood is underway when the number of allowed legitimate IP addresses during a SYN flood exceeds a set threshold. These packets indicate that non-spoofed IP addresses are creating a DDoS attack by generating a large number SYN packets. Note: The New Connections Threshold is set to system maximum by System Recommendations.

SYN Per Source Flood

Drops due to the SPP SYN per Source threshold. This counter shows drops due to SYN per Source IP rate limiting within the SPP. No SYN Validation is done for SYN per Source. Further SYN per Source detail is available in the Traffic Monitor > Layer 4 graphs.

Connections Per Source

Drops due to the SPP Concurrent Connections per Source rate-limiting threshold.

SYN Per Destination

Drops due to the SPP SYN per Destination threshold. This counter shows drops due to SYN Validation for over-threshold Protected IPs (Destinations) within the SPP. Further SYN per Destination detail is available in the Traffic Monitor > Layer 4 graphs

Slow Connection

Drops due to SPP slow connection detection and blocking of identified sources of slow connection attacks.

Layer 7

Aggregate

Display of aggregate Flood drops for:

  • HTTP
  • SSL/TLS
  • DNS
  • NTP

HTTP

Display of Flood drops due to HTTP thresholds for:

  • Methods (GET, HEAD, OPTIONS, TRACE, POST, PUT, DELETE, CONNECT)
  • Method per Source (aggregation of any Methods per Source IP)
  • URL
  • Host
  • Referer
  • Cookie
  • User Agent

SSL/TLS

Display of drops from SSL/TLS Incomplete Request Source Flood.

DNS

Display of drops due to DNS thresholds:

  • Unsolicited DNS Response Drop - Drops when a DNS Response is received but there is no DNS Query entry in the DNS Query Response Matching (DQRM) table.
  • LQ Drops - Drops during any type of UDP Query Flood when the Query is not in the Legitimate Query (LQ) table.
  • TTL Drop - Drops during any type of UDP Query Flood when a source IP address sends a repeated DNS UDP Query for the same destination before the TTL has expired. It is expected that the query should not be repeated until the TTL expires.
  • Cache Drop - Drops during any type of UDP Query Flood when a response was served from the Cache or because a response was not found in the cache and the system is configured to drop such queries.
  • Spoofed IP Drop - Drops due UDP DNS anti-spoofing checks (Retransmission or TC=1/Force TCP)
  • Unexpected Query Drop - Drops due to Duplicate Query checks.
  • Query Per Source Drop - Drops due to the DNS UDP Query per Source threshold. This rate-limiting threshold tracks DNS UDP Query rates from source IP addresses and does not attempt Source or Query validation. .
  • Suspicious Sources Drop - Drops due to the UDP DNS Packet Track per Source threshold. This rate-limiting threshold tracks sources that demonstrate suspicious activity (a score based on heuristics that count fragmented packets, response not found in DQRM, or queries that generate responses with RCODE other than 0).
  • Fragment Drop - Drops due to rate-limiting DNS Fragment threshold for UDP traffic.
  • TCP Query Drop - Drops due to the rate-limiting DNS Query TCP threshold for TCP traffic
  • TCP Question Drop Drops due to the rate-limiting DNS Question Count TCP threshold for TCP traffic.
  • TCP MX Drop Drops due to the rate-limiting DNS MX Count TCP threshold for TCP traffic.
  • TCP All Drop Drops due to the rate-limiting DNS All TCP threshold for TCP traffic.
  • TCP Zone Transfer Drop - Drops due to the rate-limiting DNS Zone Transfer TCP threshold for TCP traffic.

NTP

Display of drops due to NTP thresholds:

  • Request Flood Drops - Drops due to rate-limiting NTP Request threshold
  • Response Flood Drops - Drops due to rate-limiting NTP Response threshold
  • Broadcast Packet Flood Drops - Drops due to rate-limiting NTP Broadcast threshold
  • Response per Destination Flood Drops - Drops due to rate-limiting NTP Response per Destination threshold

DTLS

Display of drops due to DTLS thresholds:

  • Client Hello Flood from Source
  • Server Hello Flood from Source
  • Server Hello Flood from Destination

Note: Drops for these Thresholds will not show unless manual Thresholds for these parameters are set via Service Protection Policy > Thresholds > Scalars