Fortinet black logo

Handbook

Home FortiDDoS-F 6.3.3 Handbook

Blocking settings

6.3.3
7.0.0
6.6.3
6.6.3
6.6.1
6.6.0
6.5.1
6.5.0
6.4.1
6.4.0
6.3.3
6.3.2
6.3.1
6.2.3
6.2.2
6.2.1
6.2.0
6.1.1
Copy Link
Copy Doc ID 369dfb00-033f-11ed-bb32-fa163e15d75b:202501
Download PDF

Blocking settings

Settings

Guidelines

Blocking Period for All Attacks

When an attack threshold is triggered, traffic from any Source IPs sending this type of traffic is blocked for this period of time. This provides the system an opportunity to Source Track all Sources associated with this attack. If a Source does not exceed Source Tracking thresholds during this time, it is unblocked immediately.

The default is 15 seconds. The valid range is 1 to 15 s.

During the blocking period above, Sources identified by Source Tracking will be further blocked for the duration of the Blocking Period for Identified Sources, described below.

Blocking Period for Identified Sources

How long to block all traffic from a source IP address identified by Source Tracking during the initial Blacking Period above.

The default is 60 seconds. The valid range is 1 to 255 s.

When an attack threshold is triggered, while in the initial blocking period above, the system multiplies the packet rate from any blocked source by the value of the source multiplier. If the calculated rate exceeds the value of the most-active-source threshold, the system identifies the IP address of the source as a source attacker and blocks that Source for the period entered here (extending the initial blocking period). At the end of this Blocking Period, the Source IP traffic is evaluated again by the criteria below.

Extended Blocking Period for Identified Sources

If a blocked Source IP continues to send attack traffic and exceeds the number of dropped packets described below, during the Blocking Period above, the blocking period is again extended by this Extended Blocking Period.

The default is 60 seconds. The valid range is 1 to 255 s.

At the end of this Extended Blocking Period, the Source IP is evaluated again by the same drops-per-Extended Blocking Period criteria and continues to be blocked for the Extended Blocking Period until the drop rate falls below the Threshold.

Drop Threshold to Extend Blocking Period for Identified Sources

Number of dropped packets that trigger the extended blocking period. The default is 5,000 dropped packets.

The multiple Blocking Periods described above minimizes false positives. For example, if the system sees a Fragment Threshold crossed, it blocks all the Source IPs sending fragments for the initial Blocking Period, while evaluating all the Sources. If a Source is sending at a lower fragment rate than the Source Tracking rate, it will be released after no longer than 15 seconds (default) and usually much faster than that. Sources Identified by Source Tracking as over-threshold will immediately be blocked for the duration of the Blocking Period for Identified Sources (60 s default). At the end of that period, if those Sources have fallen below the Drop Threshold count, they will be unblocked. If they exceed the Drop Threshold count, they will be blocked for the duration of the Extended Blocking Period (60 s default) and evaluated again, remaining blocked until their drop rate declines below the Drop Threshold count.

Tooltip

To configure using the CLI:

config ddos spp rule

edit <spp_name>

set blocking-period <int>

set source-blocking-period <int>

set extended-blocking-period <int>

set drop-threshold-within-blocking-period <int>

next

end

Previous
Next

Blocking settings

Settings

Guidelines

Blocking Period for All Attacks

When an attack threshold is triggered, traffic from any Source IPs sending this type of traffic is blocked for this period of time. This provides the system an opportunity to Source Track all Sources associated with this attack. If a Source does not exceed Source Tracking thresholds during this time, it is unblocked immediately.

The default is 15 seconds. The valid range is 1 to 15 s.

During the blocking period above, Sources identified by Source Tracking will be further blocked for the duration of the Blocking Period for Identified Sources, described below.

Blocking Period for Identified Sources

How long to block all traffic from a source IP address identified by Source Tracking during the initial Blacking Period above.

The default is 60 seconds. The valid range is 1 to 255 s.

When an attack threshold is triggered, while in the initial blocking period above, the system multiplies the packet rate from any blocked source by the value of the source multiplier. If the calculated rate exceeds the value of the most-active-source threshold, the system identifies the IP address of the source as a source attacker and blocks that Source for the period entered here (extending the initial blocking period). At the end of this Blocking Period, the Source IP traffic is evaluated again by the criteria below.

Extended Blocking Period for Identified Sources

If a blocked Source IP continues to send attack traffic and exceeds the number of dropped packets described below, during the Blocking Period above, the blocking period is again extended by this Extended Blocking Period.

The default is 60 seconds. The valid range is 1 to 255 s.

At the end of this Extended Blocking Period, the Source IP is evaluated again by the same drops-per-Extended Blocking Period criteria and continues to be blocked for the Extended Blocking Period until the drop rate falls below the Threshold.

Drop Threshold to Extend Blocking Period for Identified Sources

Number of dropped packets that trigger the extended blocking period. The default is 5,000 dropped packets.

The multiple Blocking Periods described above minimizes false positives. For example, if the system sees a Fragment Threshold crossed, it blocks all the Source IPs sending fragments for the initial Blocking Period, while evaluating all the Sources. If a Source is sending at a lower fragment rate than the Source Tracking rate, it will be released after no longer than 15 seconds (default) and usually much faster than that. Sources Identified by Source Tracking as over-threshold will immediately be blocked for the duration of the Blocking Period for Identified Sources (60 s default). At the end of that period, if those Sources have fallen below the Drop Threshold count, they will be unblocked. If they exceed the Drop Threshold count, they will be blocked for the duration of the Extended Blocking Period (60 s default) and evaluated again, remaining blocked until their drop rate declines below the Drop Threshold count.

Tooltip

To configure using the CLI:

config ddos spp rule

edit <spp_name>

set blocking-period <int>

set source-blocking-period <int>

set extended-blocking-period <int>

set drop-threshold-within-blocking-period <int>

next

end

Previous
Next