Fortinet white logo
Fortinet white logo

Handbook

DTLS Profile

DTLS Profile

DTLS Overview

DTLS is essentially TLS over UDP (usually port 443).

Since DTLS uses UDP, there is no validation of the Source IP. DTLS attempts to overcome this by sending a Hello Verify message from the server to the client. Some servers and ADCs are misconfigured and skip the Hello Verify messages, sending Server Hello messages directly to unverified Sources, allowing attacker to reflect Server Hello Messages to spoofed Source IPs – the targets of the attack.

Use Case

Use the DTLS profile to configure various DTLS Anomaly and ACL parameters. A DTLS Profile can be used for all SPPs, with symmetric traffic. DTLS Reflection Floods are used against all types of targets, whether you host DTLS, are using DTLS or not.

The same DTLS Profile can be used by multiple SPPs but any SPP can only use one DTLS profile at a time.

You can create a maximum of 64 DTLS Profiles.

Note:

  • DTLS Protocol Check and Reflection Deny, cannot be used in asymmetric traffic environments. Use DTLS Thresholds when you cannot use these DTLS parameters.
  • The default monitored DTLS port is 443 but other ports can be added in the DTLS Service Port Field in Service Protection Profiles.

DTLS Profile

DTLS Profile

DTLS Overview

DTLS is essentially TLS over UDP (usually port 443).

Since DTLS uses UDP, there is no validation of the Source IP. DTLS attempts to overcome this by sending a Hello Verify message from the server to the client. Some servers and ADCs are misconfigured and skip the Hello Verify messages, sending Server Hello messages directly to unverified Sources, allowing attacker to reflect Server Hello Messages to spoofed Source IPs – the targets of the attack.

Use Case

Use the DTLS profile to configure various DTLS Anomaly and ACL parameters. A DTLS Profile can be used for all SPPs, with symmetric traffic. DTLS Reflection Floods are used against all types of targets, whether you host DTLS, are using DTLS or not.

The same DTLS Profile can be used by multiple SPPs but any SPP can only use one DTLS profile at a time.

You can create a maximum of 64 DTLS Profiles.

Note:

  • DTLS Protocol Check and Reflection Deny, cannot be used in asymmetric traffic environments. Use DTLS Thresholds when you cannot use these DTLS parameters.
  • The default monitored DTLS port is 443 but other ports can be added in the DTLS Service Port Field in Service Protection Profiles.