Top Attacks
The DDoS Top Attacks dashboard gives you insight into the attacks that have been mitigated by the Global or any SPP security posture.
Dashboard: TOP ATTACKS > Global
The Global dashboard displays a summary of drop events caused by any ACL created via the following:
-
Global Protection > Access Control List entries, including:
-
IPv4/IPv6 IP/subnets
-
IPv4/IPv6 IP/subnet groups
-
IPv4/IPv6 Services (Protocols or Layer 4 TCP or UDP Ports)
-
IPv4/IPv6 Service Groups
-
-
Global Protection > Blocklist IPv4 files/entries
-
Global Protection > Blocklist Domain files/entries
Summary page
|
Column |
Description |
|---|---|
| Attack | Description of the drop event type. |
| Drops | Count of all drops for all matching events for the Period. |
| Events | Number of events for the Period. |
 (Detail icon) |
Click to display a summary list of all events associated with that attack event type. |
Filter the Summary tables with the following settings:
|
Setting |
Description |
|---|---|
| Direction |
Select the direction from the drop-down menu:
Inbound is the default direction. |
| Period |
Select the period from the drop-down menu:
1 Hour is the default period. Note: All periods are calculated backwards from the current time. |
Click the 
(PDF icon) to produce a PDF version of the Summary page with the table and pertinent system information.
From the Details tab, you can view the Summary event list. Click the (Detail icon) to view further detail per item. The example shown below is a pre-filtered view of the Log & Report: LOG ACCESS > Logs: DDoS Attack Log page. For more information on the contents of the tables, see Working with the FortiDDoS attack log.
Dashboard: TOP ATTACKS > SPP
The Top Attacks > SPP page offers a number of tables with attack event summaries pre-sorted in different ways for concise information.
Filter the SPP tables with the following settings:
|
Setting |
Description |
|---|---|
| Direction |
Select the direction from the drop-down menu:
Inbound is the default direction. |
| Period |
Select the period from the drop-down menu:
1 Hour is the default period. Note: All periods are calculated backwards from the current time. |
|
SPP |
Drop-down of configured SPP names plus default SPP. |
Click the (PDF icon) to produce a PDF version of the page with all associated tables and pertinent system information.
SPP Tables
Top Attacked SPPs
No matter which SPP is selected in the filter, this table shows a summary of all drops for all SPPs configured in the system.
|
Column |
Description |
|---|---|
| SPP | SPP Name. |
| Direction | Inbound/Outbound based on the option at the top of the Top Attacks page. |
| Drops | Drops counts for all events for the SPP based on the Period option at the top of the Top Attacks page. |
| Events | Number of all events for the selected SPP and Period. |
|
(Detail icon) |
Opens a pre-filtered Attack Log summary list with event summaries. Within the summary list, you can drill down further with the (Detail icon) for more information. |
Top Attacks Detail attack log summary list:
Top SPPs with Denied Packets
No matter which SPP is selected in the filter, this table shows a summary of all ACL drops for all SPPs configured in the system.
In the example below, ACLs have been configured in the Service Protection Profile (not Global).
|
Column |
Description |
|---|---|
| SPP | SPP Name. |
| Direction | Inbound/Outbound based on the option at the top of the Top Attacks page. |
| Drops | Drops counts for all events for the SPP based on the Period option at the top of the Top Attacks page. |
| Events | Number of all events for the selected SPP and Period. |
|
(Detail icon) |
Opens a pre-filtered Attack Log summary list with event summaries. Within the summary list, you can drill down further with the |
Top Attacks
Displays the Top Attacks over the Period for the selected SPP.
|
Column |
Description |
|---|---|
| Attack | Attack event name. |
| SPP | SPP Name. |
| Drops | Drops counts for all events for the SPP based on the Period option at the top of the Top Attacks page. |
| Events | Number of all events for the selected SPP and Period. |
|
(Detail icon) |
Opens a pre-filtered Attack Log summary list with event summaries. Within the summary list, you can drill down further with the |
Top ACL Attacks
Displays the Top ACL Attacks over the Period for the selected SPP.
|
Column |
Description |
|---|---|
| Attack | Attack event name. |
| SPP | SPP Name. |
| Drops | Drops counts for all events for the SPP based on the Period option at the top of the Top Attacks page. |
| Events | Number of all events for the selected SPP and Period. |
|
(Detail icon) |
Opens a pre-filtered Attack Log summary list with event summaries. Within the summary list, you can drill down further with the |
Top Attacked Destinations
Displays the Top Attacks per Protected IP address over the Period, contained in the Protection Subnets for the selected SPP.
|
Column |
Description |
|---|---|
| Protected IP |
The Destination IP for inbound drops. The Source IP for outbound drops. |
| SPP | SPP Name. |
| Drops | Drops counts for all events for the SPP based on the Period option at the top of the Top Attacks page. |
| Events | Number of all events for the selected SPP and Period. |
|
(Detail icon) |
Opens a pre-filtered Attack Log summary list with event summaries. Within the summary list, you can drill down further with the |
Top Attacked HTTP Servers
Displays the Top Attacks per Protected IP address for HTTP Servers in the SPP, over the Period.
These attacks see any dropped traffic destined to Port 80 or any customer-defined HTTP Service Port. IP addresses shown here may not be HTTP servers, since attackers can send traffic to Port 80 on non-HTTP servers, attempting to evade protections.
|
Column |
Description |
|---|---|
| IP |
The Destination IP for inbound drops. The Source IP for outbound drops. |
| SPP | SPP Name. |
| Drops | Drops counts for all events for the SPP based on the Period option at the top of the Top Attacks page. |
| Events | Number of all events for the selected SPP and Period. |
|
(Detail icon) |
Opens a pre-filtered Attack Log summary list with event summaries. Within the summary list, you can drill down further with the |
Top Attackers
Displays the Top Attacks per identified Source IP address for the SPP over the Period.
These attacks see any dropped traffic from attack events that provide Source IP information. Use the Detail icon to open a summary list and then the Detail icon on each line of the summary list to get complete details of the Source IP and attack event.
|
Column |
Description |
|---|---|
| IP |
The Destination IP for inbound drops. The Source IP for outbound drops. |
| SPP | SPP Name. |
| Drops | Drops counts for all events for the SPP based on the Period option at the top of the Top Attacks page. |
| Events | Number of all events for the selected SPP and Period. |
|
(Detail icon) |
Opens a pre-filtered Attack Log summary list with event summaries. Within the summary list, you can drill down further with the |
Top Attacked Protocols
Displays the Top Attacked Layer 3 Protocols for the SPP over the Period.
This table is specific to Protocol Threshold violations. Thresholds does not include drops from other types of attacks. For example a UDP Port flood is shown in the Top Attacked UDP Ports table and will not show here.
|
Column |
Description |
|---|---|
| Protocol |
The Protocol number and name (if available). |
| SPP | SPP Name. |
| Drops | Drops counts for all events for the SPP based on the Period option at the top of the Top Attacks page. |
| Events | Number of all events for the selected SPP and Period. |
|
(Detail icon) |
Opens a pre-filtered Attack Log summary list with event summaries. Within the summary list, you can drill down further with the |
Top Attacked TCP Ports
Displays the Top Attacked TCP Ports for the SPP over the Period. The table specifically shows drops from TCP Port Threshold violations.
|
Column |
Description |
|---|---|
| Port |
The TCP Port number and any known applications associated with that port. |
| SPP | SPP Name. |
| Drops | Drops counts for all events for the SPP based on the Period option at the top of the Top Attacks page. |
| Events | Number of all events for the selected SPP and Period. |
|
(Detail icon) |
Opens a pre-filtered Attack Log summary list with event summaries. Within the summary list, you can drill down further with the |
Top Attacked UDP Ports
Displays the Top Attacked UDP Ports for the SPP over the Period.
|
Column |
Description |
|---|---|
| Port |
The UDP Port number and any known applications associated with that port. |
| SPP | SPP Name. |
| Drops |
Drops from UDP Port Threshold violations. This may include:
|
| Events | Number of all events for the selected SPP and Period. |
|
(Detail icon) |
Opens a pre-filtered Attack Log summary list with event summaries. Within the summary list, you can drill down further with the |
Top Attacked ICMP Types/Codes
Displays the Top Attacked ICMP Types and Codes for the SPP over the Period.
|
Column |
Description |
|---|---|
| Type:Code |
The Type (0-255) and Code (0-255) of the drops. |
| SPP | SPP Name. |
| Drops | Drops counts for all events for the SPP based on the Period option at the top of the Top Attacks page. |
| Events | Number of all events for the selected SPP and Period. |
|
(Detail icon) |
Opens a pre-filtered Attack Log summary list with event summaries. Within the summary list, you can drill down further with the |
Top Attacked HTTP URLs | Hosts | Cookies | Referers | User Agents
Displays the Top Attacked HTTP URLs | Hosts | Cookies | Referers | User Agents for the SPP over the Period.
|
Column |
Description |
|---|---|
| HTTP URL |
The hashed index number of the HTTP URLs, Hosts, Cookies, Referers, and User Agents. This does not include the full text. If you need assistance with the various HTTP hashes, contact FortiCare. |
| SPP | SPP Name. |
| Drops | Drops counts for all events for the SPP based on the Period option at the top of the Top Attacks page. |
| Events | Number of all events for the selected SPP and Period. |
|
(Detail icon) |
Opens a pre-filtered Attack Log summary list with event summaries. Within the summary list, you can drill down further with the |
Top Attacked HTTP Methods
Displays the Top Attacked HTTP Methods for the SPP over the Period.
| HTTP Method |
Which of the 8 HTTP Methods were used in the attack: GET, POST, HEAD, OPTIONS, TRACE, PUT, CONNECT, DELETE. |
| SPP | SPP Name. |
| Drops | Drops counts for all events for the SPP based on the Period option at the top of the Top Attacks page. |
| Events | Number of all events for the selected SPP and Period. |
|
(Detail icon) |
Opens a pre-filtered Attack Log summary list with event summaries. Within the summary list, you can drill down further with the |
Top Attacked DNS Servers
Displays the Top Attacked DNS Servers in the SPP over the Period.
This table displays any drops associated with UDP or TCP Destination or Source Port 53, including Query and Response Thresholds DNS Anomalies, Query/Response matching, etc.
Attackers use various DNS attacks on many types of infrastructure and services so the Protected IPs shown in the IP column may not be DNS servers. Use the detail icon for further information.
|
Column |
Description |
|---|---|
| IP |
The Destination IP for inbound drops. The Source IP for outbound drops. |
| SPP | SPP Name. |
| Drops | Drops counts for all events for the SPP based on the Period option at the top of the Top Attacks page. |
| Events | Number of all events for the selected SPP and Period. |
|
(Detail icon) |
Opens a pre-filtered Attack Log summary list with event summaries. Within the summary list, you can drill down further with the |