Fortinet black logo

Handbook

Source tracking

Copy Link
Copy Doc ID 369dfb00-033f-11ed-bb32-fa163e15d75b:890182
Download PDF

Source tracking

This feature allows users to penalize source creating non-source attacks i.e. Protocol Flood, so that 1 high volume source shouldn’t affect other legitimate sources.

Settings

Guidelines

Source Multiplier Inbound/Outbound

Applies the specified multiplier to the packet count for traffic with a source IP address that the system has identified as the source of a flood. In effect, the multiplier makes traffic from the source violate thresholds sooner. The default is 2.

For example, if the most active source threshold is 100 packets per second, and the source multiplier is 4, an identified source attacker will violate the threshold if it sends 26 packets per second. Because incoming traffic is more likely to be the source of a threat, you can configure different multipliers for incoming and outgoing traffic.

Layer 7 Multiplier Inbound/Outbound

Applies the specified multiplier to the packet count for traffic that the system has detected is related to a Layer 7 HTTP flood. The system tracks HTTP headers (URL or Host, Referer, Cookie or User-Agent header) and associates traffic with matching headers with the attack. The default is 2.

Note: When both Source flood and Layer 7 flood conditions are met, the packet count multipliers are compounded. For example, when there is a User Agent flood attack, a source is sending a User-Agent that is overloaded. If the Source multiplier is 4 and the Layer 7 multiplier is 64, the total multiplier that is applied to such traffic is 4 x 64 = 256. In effect, each time the source sends a Layer 7 packet with that particular User-Agent header, FortiDDoS considers each packet the equivalent of 256 packets.

Tooltip

To configure using the CLI:

config ddos spp rule

edit <spp_name>

set source-multiplier-inbound <integer>

set source-multiplier-outbound <integer>

set layer-7-multiplier-inbound <integer>

set layer-7-multiplier-outbound <integer>

next

end

Source tracking

This feature allows users to penalize source creating non-source attacks i.e. Protocol Flood, so that 1 high volume source shouldn’t affect other legitimate sources.

Settings

Guidelines

Source Multiplier Inbound/Outbound

Applies the specified multiplier to the packet count for traffic with a source IP address that the system has identified as the source of a flood. In effect, the multiplier makes traffic from the source violate thresholds sooner. The default is 2.

For example, if the most active source threshold is 100 packets per second, and the source multiplier is 4, an identified source attacker will violate the threshold if it sends 26 packets per second. Because incoming traffic is more likely to be the source of a threat, you can configure different multipliers for incoming and outgoing traffic.

Layer 7 Multiplier Inbound/Outbound

Applies the specified multiplier to the packet count for traffic that the system has detected is related to a Layer 7 HTTP flood. The system tracks HTTP headers (URL or Host, Referer, Cookie or User-Agent header) and associates traffic with matching headers with the attack. The default is 2.

Note: When both Source flood and Layer 7 flood conditions are met, the packet count multipliers are compounded. For example, when there is a User Agent flood attack, a source is sending a User-Agent that is overloaded. If the Source multiplier is 4 and the Layer 7 multiplier is 64, the total multiplier that is applied to such traffic is 4 x 64 = 256. In effect, each time the source sends a Layer 7 packet with that particular User-Agent header, FortiDDoS considers each packet the equivalent of 256 packets.

Tooltip

To configure using the CLI:

config ddos spp rule

edit <spp_name>

set source-multiplier-inbound <integer>

set source-multiplier-outbound <integer>

set layer-7-multiplier-inbound <integer>

set layer-7-multiplier-outbound <integer>

next

end