Fortinet black logo

Handbook

Product features

Copy Link
Copy Doc ID 369dfb00-033f-11ed-bb32-fa163e15d75b:4350
Download PDF

Product features

The following features make FortiDDoS the best in its class:

Purpose-built for low latency and rapid response

The patented combination of high-performance platforms and heuristics allow you to deploy the FortiDDoS appliance inline between the external network and protected services, where it maintains high packet processing rates, even when under attack. FortiDDoS features very low latency, and identifies and begins responding to attacks within 2 seconds or less.

Massive-scale SYN, DNS, NTP, and Refelcted UDP flood mitigation

Among others, SYN, DNS, NTP and UDP Reflected flood mitigation techniques not only protect your network from DDoS attacks but, importantly, enable your business to continue to serve legitimate client purposes during attacks.

Flexible Network Environments

FortiDDoS operates inline with one or more Internet links at the very edge of your local network. It has no IP nor MAC addresses in the data path and is invisible to attackers. It fully supports asymmetric networks with:

  • 2 or more links passing through the FortiDDoS
  • The main inbound link passing through and the main outbound link bypassing FortiDDoS
  • A FortiDDoS on each of the asymmetric links

FortiDDoS supports High Availability in a unique way. The Primary appliance or VM controls most configuration items and particularly Thresholds and service features but both devices pass traffic. This allows traffic to work in failover mode or active-active on 2 devices.

Initial learning periods

FortiDDoS learns based on inbound and outbound traffic rates for more than 230,000 parameters. First, deploy the system in Learning Mode (Detection Mode with no Thresholds), where the system learns traffic patters without dropping any packets.

At the end of the initial learning period, create system-recommended threshold from the learned traffic. Continue to use Detection Mode to review logs for false positives and false negatives. As needed, adjust thresholds and monitor the results.

When you are satisfied with the system settings, change to Prevention Mode. In Prevention Mode, the appliance validates and drops packets based on the set Thresholds, and other parameters such as anomalies and ACLs.

Continuous learning

FortiDDoS begins learning traffic patterns as soon as it begins monitoring traffic, and it never stops learning. It continuously analyzes traffic rates and dynamically adjusts the thresholds that differentiate between legitimate traffic volume and attacks. At any time, you can request new Traffic Statistics Reports for any period fro 1-hour to 1-year prior to the current time, compare those with previous reports and/or convert them to new System Recommended Thresholds.

Machine Learning Adaptive Thresholds

27 of the most important FortiDDoS Thresholds continuously adapt their thresholds based on machine learning algorithms continuously examining the last 6 weeks of traffic. The algorithms are fully autonomous but can be adjusted by the user for their circumstances. Adaptive Thresholds are intended to compensate for “seasonal” and special-event changes in traffic without forcing the user to make manual adjustments.

Zero Day attack prevention with granular attack detection and prevention

FortiDDoS’ massively parallel processing allows monitoring of parameters no one has thought of to create attacks – yet. Within the 230,000 parameters monitored, FortiDDoS protects all 256 Layer 3 Protocols, not just a few like competitors and ISP mitigation. FortiDDoS specifically protects more than 10,000 UDP Source Ports that can be used for Reflections even though only about 25 ports are know reflectors in 2020 and no competitor automatically monitors even those 25 ports.

Administrators do not need to intervene, and the appliance is “on guard” 24/7, automatically protecting your network systems and bandwidth.

Granular attack detection thresholds

100% packet inspection from Layer 3 t Layer 7 (no sampling) ensures even single anomalous packets are seen and dropped, reducing network scans and other “junk” traffic.

Deep packet inspection

FortiDDoS architecture enables deep packet inspection. FortiDDoS can identify header fields in HTTP, DNS and NTP packets and maintain specific thresholds for all 8 HTTP Methods as well as URLs, Hosts, Cookies, Referrers and User Agents. FortiDDoS inspects DNS and NTP Header and payload packets evaluating both packet rates and per-packet anomalies used by attackers. This granularity enables very accurate mitigation of attacks without disrupting legitimate traffic.

Source validation address matching and Response matching

Proprietary algorithms validate sources of SYN and DNS Query floods to eliminate spoofed sources while allowing legitimate users. DNS and NTP algorithms validate individual Responses to stop DNS and NTP Reflected Response attacks from the first packet while maintain service for your users and clients.

Service Protection Policies (SPPs)

FortiDDoS supports from 4 to 16 Service Protection Policiees (SPPs) which contain independent sets of protections for L3-L7 anomalies, validation and Thresholds for more than 230,000 parameters in each direction. Web servers use different thresholds and settings than email servers or firewalls. ISPs use different thresholds than enterprise.

Each SPP supports from 512 to 1023 Protection Subnets depending on the model and each subnet can range from a single IPv4/32 or IPv6/128 to larger than /16. SPPs support IPv4 and IPv6 simultaneously. Each Service Protection Policy learns traffic rates independently for all 230,000 parameters in each direction.

ACLs

While ACLs are not normally used for DDoS mitigation since most attacks use spoofed Source IPs, FortiDDoS architecture supports a wide range of high-performance ACLs that can be used to offload other network infrastructure. These include many thousands of ACLs for IPs, subnets, TCP and UDP Source and/or Destination Ports, Protocols, DNS Resource Records and others.

Cloud signaling

Cloud Signaling allows you to use Fortinet global DDoS cloud mitigation service Partners to assist with attacks that exceed the capacity of your Internet links.

FortiDDoS also supports Flowspec scripts that can be forwarded to ISPs to help them mitigate specific large attacks.

Intuitive analysis tools and reports

The 100% on-box reporting tools enable graphical analysis of network traffic history from five minutes to one year. You can analyze traffic profiles using a broad range of Layer 3, 4 or 7 parameters. With just a few clicks, you can create intuitive and useful reports such as top attackers, top attacks, top attack destinations, top connections, and so on.

Viewing traffic monitor graphs

Traffic monitor graphs display trends in throughput rates and drop counts due to threat prevention actions. In Detection Mode, the drop count is hypothetical, but useful as you tune detection thresholds.

External Reporting

FortiDDoS supports a flexible suite of syslog and SNMP traps to allow external reporting and storage of attack information.

Product features

The following features make FortiDDoS the best in its class:

Purpose-built for low latency and rapid response

The patented combination of high-performance platforms and heuristics allow you to deploy the FortiDDoS appliance inline between the external network and protected services, where it maintains high packet processing rates, even when under attack. FortiDDoS features very low latency, and identifies and begins responding to attacks within 2 seconds or less.

Massive-scale SYN, DNS, NTP, and Refelcted UDP flood mitigation

Among others, SYN, DNS, NTP and UDP Reflected flood mitigation techniques not only protect your network from DDoS attacks but, importantly, enable your business to continue to serve legitimate client purposes during attacks.

Flexible Network Environments

FortiDDoS operates inline with one or more Internet links at the very edge of your local network. It has no IP nor MAC addresses in the data path and is invisible to attackers. It fully supports asymmetric networks with:

  • 2 or more links passing through the FortiDDoS
  • The main inbound link passing through and the main outbound link bypassing FortiDDoS
  • A FortiDDoS on each of the asymmetric links

FortiDDoS supports High Availability in a unique way. The Primary appliance or VM controls most configuration items and particularly Thresholds and service features but both devices pass traffic. This allows traffic to work in failover mode or active-active on 2 devices.

Initial learning periods

FortiDDoS learns based on inbound and outbound traffic rates for more than 230,000 parameters. First, deploy the system in Learning Mode (Detection Mode with no Thresholds), where the system learns traffic patters without dropping any packets.

At the end of the initial learning period, create system-recommended threshold from the learned traffic. Continue to use Detection Mode to review logs for false positives and false negatives. As needed, adjust thresholds and monitor the results.

When you are satisfied with the system settings, change to Prevention Mode. In Prevention Mode, the appliance validates and drops packets based on the set Thresholds, and other parameters such as anomalies and ACLs.

Continuous learning

FortiDDoS begins learning traffic patterns as soon as it begins monitoring traffic, and it never stops learning. It continuously analyzes traffic rates and dynamically adjusts the thresholds that differentiate between legitimate traffic volume and attacks. At any time, you can request new Traffic Statistics Reports for any period fro 1-hour to 1-year prior to the current time, compare those with previous reports and/or convert them to new System Recommended Thresholds.

Machine Learning Adaptive Thresholds

27 of the most important FortiDDoS Thresholds continuously adapt their thresholds based on machine learning algorithms continuously examining the last 6 weeks of traffic. The algorithms are fully autonomous but can be adjusted by the user for their circumstances. Adaptive Thresholds are intended to compensate for “seasonal” and special-event changes in traffic without forcing the user to make manual adjustments.

Zero Day attack prevention with granular attack detection and prevention

FortiDDoS’ massively parallel processing allows monitoring of parameters no one has thought of to create attacks – yet. Within the 230,000 parameters monitored, FortiDDoS protects all 256 Layer 3 Protocols, not just a few like competitors and ISP mitigation. FortiDDoS specifically protects more than 10,000 UDP Source Ports that can be used for Reflections even though only about 25 ports are know reflectors in 2020 and no competitor automatically monitors even those 25 ports.

Administrators do not need to intervene, and the appliance is “on guard” 24/7, automatically protecting your network systems and bandwidth.

Granular attack detection thresholds

100% packet inspection from Layer 3 t Layer 7 (no sampling) ensures even single anomalous packets are seen and dropped, reducing network scans and other “junk” traffic.

Deep packet inspection

FortiDDoS architecture enables deep packet inspection. FortiDDoS can identify header fields in HTTP, DNS and NTP packets and maintain specific thresholds for all 8 HTTP Methods as well as URLs, Hosts, Cookies, Referrers and User Agents. FortiDDoS inspects DNS and NTP Header and payload packets evaluating both packet rates and per-packet anomalies used by attackers. This granularity enables very accurate mitigation of attacks without disrupting legitimate traffic.

Source validation address matching and Response matching

Proprietary algorithms validate sources of SYN and DNS Query floods to eliminate spoofed sources while allowing legitimate users. DNS and NTP algorithms validate individual Responses to stop DNS and NTP Reflected Response attacks from the first packet while maintain service for your users and clients.

Service Protection Policies (SPPs)

FortiDDoS supports from 4 to 16 Service Protection Policiees (SPPs) which contain independent sets of protections for L3-L7 anomalies, validation and Thresholds for more than 230,000 parameters in each direction. Web servers use different thresholds and settings than email servers or firewalls. ISPs use different thresholds than enterprise.

Each SPP supports from 512 to 1023 Protection Subnets depending on the model and each subnet can range from a single IPv4/32 or IPv6/128 to larger than /16. SPPs support IPv4 and IPv6 simultaneously. Each Service Protection Policy learns traffic rates independently for all 230,000 parameters in each direction.

ACLs

While ACLs are not normally used for DDoS mitigation since most attacks use spoofed Source IPs, FortiDDoS architecture supports a wide range of high-performance ACLs that can be used to offload other network infrastructure. These include many thousands of ACLs for IPs, subnets, TCP and UDP Source and/or Destination Ports, Protocols, DNS Resource Records and others.

Cloud signaling

Cloud Signaling allows you to use Fortinet global DDoS cloud mitigation service Partners to assist with attacks that exceed the capacity of your Internet links.

FortiDDoS also supports Flowspec scripts that can be forwarded to ISPs to help them mitigate specific large attacks.

Intuitive analysis tools and reports

The 100% on-box reporting tools enable graphical analysis of network traffic history from five minutes to one year. You can analyze traffic profiles using a broad range of Layer 3, 4 or 7 parameters. With just a few clicks, you can create intuitive and useful reports such as top attackers, top attacks, top attack destinations, top connections, and so on.

Viewing traffic monitor graphs

Traffic monitor graphs display trends in throughput rates and drop counts due to threat prevention actions. In Detection Mode, the drop count is hypothetical, but useful as you tune detection thresholds.

External Reporting

FortiDDoS supports a flexible suite of syslog and SNMP traps to allow external reporting and storage of attack information.