Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • Handbook

    6.4.1
    7.0.3
    7.0.1
    7.0.0
    6.6.3
    6.6.3
    6.6.1
    6.6.0
    6.5.1
    6.5.0
    6.4.1
    6.4.0
    6.3.3
    6.3.2
    6.3.1
    6.2.3
    6.2.2
    6.2.1
    6.2.0
    6.1.1

    A typical workflow for investigating FortiDDoS attack events

    A typical workflow for investigating FortiDDoS attack events

    Whenever there is an attack, you should investigate until you fully understand why packets were dropped, and you know whether the attack event is a false positive.

    A typical FortiDDoS attack investigation includes the following steps:

    1. Identify the destination and source.
    2. Identify the type of attack.
    3. Identify the attack size.
    4. Analyze Layer 3, Layer 4, and Layer 7 parameters to understand the attack method.

    Step 1: Identifying the destination and source

    Most of the statistics graphs identify the SPP and the direction of the attack, so, if there is only one subnet in the attacked SPP, you can easily determine the attack destination.

    If the SPP contains more than one subnet, you can use the following reports to determine the attack destinations and sources:

    • Top Attacks dashboard
    • Log & Report > Log Access > Logs > DDoS Attack Log

    Note: DDoS attacks are often spoofed attacks. Source information is not provided as it is irrelevant.

    Step 2: Identifying the type of attack

    If the SPP contains more than one subnet, you can use the following reports to determine the attack type:

    Top Attacks dashboard

    Dashboard > Status > Attack Logs

    FortiView > SPP > {SPP Rule} > Attacks tab

    Log & Report > Log Access > Logs > DDoS Attack Log

    The following table describes DDoS attack types and identifies the FortiDDoS events to look for.

    Types of attacks

    Attack

    Description

    Threshold to configure/adjust

    Events to watch

    SYN Attack

    A spike in packets on a specific TCP port. In most cases, the source address is spoofed.

    Layer 3 - TCP protocol (6)

    Layer 4 - TCP ports on which the server is listening

    Layer 4 - SYN

    Layer 4 - New connections

    Protocol 6 Flood

    SYN Flood

    Zombie Flood

    TCP Port Flood

    Source Flood

    A single source sends excessive number of IP Packets

    Layer 3 – Most Active Source

    Source Flood

    Zombie Attack

    A spike in TCP packets from Legitimate IP addresses

    Layer 3 – TCP protocol (6)

    Layer 4 – TCP ports on which the server is listening

    Layer 4 – SYN

    Layer 4 - SYN per source (syn-per-src)

    Layer 4 - New connections

    Layer 3 Protocol 6

    SYN Flood

    Zombie Flood

    Port Flood

    SYN Flood from Source

    Fragment Flood

    Excessive number of fragmented packets

    Layer 3 – Other Protocols Fragment

    Layer3 – TCP Fragment

    Layer 3 – UDP Fragment

    Other Protocols Fragment Flood

    TCP Fragment Flood

    UDP Fragment Flood

    Protocol Flood

    ICMP Flood

    An Excessive number of ICMP Packets

    Layer 3 – ICMP protocol (1)

    Layer 4 – ICMP type and code

    Protocol 1 Flood

    Layer 4 ICMP Flood of a specific type and code

    Smurf Attack

    Traffic that appears to originate from the target server’s own IP address or somewhere on its network. Targeted correctly, it can flood the network with pings and multiple responses.

    Layer 3 – ICMP protocol (1)

    Layer 4 – ICMP type and code combinations that are allowed by the firewall and ACL

    Protocol 1 Flood

    ICMP Flood of Echo-Request/Response Type (Type= 0, Code = 0)

    MyDoom Attack

    Excessive number of HTTP packets zombies

    Layer 3 – TCP protocol (6)

    Layer 4 – TCP port 80

    Layer 4 – SYN

    Layer 4 – New connections

    Protocol 6 Flood

    SYN Flood

    Zombie Flood

    TCP Port Flood

    HTTP GET Attack

    Excessive number of HTTP GET Method packets

    Layer 3 – TCP protocol (6)

    Layer 4 – TCP ports on which the server is listening

    Layer 4 – SYN

    Layer 4 – New connections

    Layer 4 – Concurrent connections per source

    Layer 7 – HTTP Methods

    Layer 7 – URL

    Protocol 6 Flood

    SYN Flood

    TCP Zombie Flood

    TCP Port Flood

    Concurrent Connections per Source Flood

    HTTP Method Flood

    URL Flood

    Slow Connection Attack

    Legitimate IP sources send legitimate TCP connections but do it slowly and remain idle, which fills up the server’s connection table memory.

    Layer 3 – TCP protocol (6)

    Layer 4 – TCP ports on which the server is listening

    Layer 4 – SYN

    Layer 4 – New connections

    Layer 4 - Concurrent connections per source

    Protocol 6 Flood

    SYN Flood

    Zombie Flood

    TCP Port Flood

    Concurrent Connections per Source

    UDP Flood Attack

    An excessive number of UDP packets.

    Layer 3 – UDP protocol (17)

    Layer 4 – UDP ports on which the server is listening

    Protocol 17 Flood

    UDP Port Flood

    Slammer Attack

    An excessive number of packets on UDP port 1434

    Layer 3 – UDP protocol (17)

    Layer 4 – UDP ports 1434

    Protocol 17 Flood

    UDP Port 1434 Flood

    Fraggle Attack

    Spoofed UDP packets to a list of broadcast addresses. Usually the packets are directed to port 7 on the target machines, which is the echo port. Other times, it is directed to the CHARGEN port. Sometimes a hacker is able to set up a loop between the echo and CHARGEN port.

    Layer 3 – ICMP protocol (1)

    Layer 3 – UDP protocol (17)

    Layer 4 – UDP echo port (7)

    Layer 4 – Daytime Protocol port (13)

    Layer 4 – Quote of the Day (QOTD) port (17)

    Layer 4 – UDP Character Generator protocol (CHARGEN) (19)

    Layer 4 – ICMP Type/Codes specific to host/port not available

    Protocol 1 Flood

    Protocol 17 Flood

    UDP Port 7 Flood

    UDP Port 13 Flood

    UDP Port 17 Flood

    UDP Port 19 Flood

    ICMP Flood of Port Not Available Type, Code (3,3)

    ICMP Flood of Host Not Available Type, Code (3,1)

    DNS Port Flood

    An excessive number of packets on UDP port 53

    Layer 3 - UDP protocol (17)

    Layer 4 - UDP port 53

    Protocol 17 UDP Flood

    UDP Port 53 Flood

    DNS Query Flood

    A spike in DNS queries and occurrences of query data.

    Layer 7 - DNS query-related thresholds

    DNS Query Flood

    Step 3: Identify the attack size

    You can use the Monitor graphs and Attack Logs to analyze the dimensions of the attack: increases in throughput and drops.

    Step 4: Analyze attack parameters in each OSI layer

    You can use the DDoS Attack log or the Monitor graphs to analyze aggregate throughput and drops due to Layer 3, Layer 4, and Layer 7 FortiDDoS rate thresholds or ACL rules.

    1. For Drop Monitor Graphs, start using the following graphs to identify the layer at which the attack is happening:
    • Aggregate Flood Drops
    • Aggregate ACL Drops
    • Aggregate Anomaly Drops
    • Out of Memory Drops
  • Drill down further by accessing statistics specific to each layer and attack type.
    • Previous
    Next

    A typical workflow for investigating FortiDDoS attack events

    A typical workflow for investigating FortiDDoS attack events

    Whenever there is an attack, you should investigate until you fully understand why packets were dropped, and you know whether the attack event is a false positive.

    A typical FortiDDoS attack investigation includes the following steps:

    1. Identify the destination and source.
    2. Identify the type of attack.
    3. Identify the attack size.
    4. Analyze Layer 3, Layer 4, and Layer 7 parameters to understand the attack method.

    Step 1: Identifying the destination and source

    Most of the statistics graphs identify the SPP and the direction of the attack, so, if there is only one subnet in the attacked SPP, you can easily determine the attack destination.

    If the SPP contains more than one subnet, you can use the following reports to determine the attack destinations and sources:

    • Top Attacks dashboard
    • Log & Report > Log Access > Logs > DDoS Attack Log

    Note: DDoS attacks are often spoofed attacks. Source information is not provided as it is irrelevant.

    Step 2: Identifying the type of attack

    If the SPP contains more than one subnet, you can use the following reports to determine the attack type:

    Top Attacks dashboard

    Dashboard > Status > Attack Logs

    FortiView > SPP > {SPP Rule} > Attacks tab

    Log & Report > Log Access > Logs > DDoS Attack Log

    The following table describes DDoS attack types and identifies the FortiDDoS events to look for.

    Types of attacks

    Attack

    Description

    Threshold to configure/adjust

    Events to watch

    SYN Attack

    A spike in packets on a specific TCP port. In most cases, the source address is spoofed.

    Layer 3 - TCP protocol (6)

    Layer 4 - TCP ports on which the server is listening

    Layer 4 - SYN

    Layer 4 - New connections

    Protocol 6 Flood

    SYN Flood

    Zombie Flood

    TCP Port Flood

    Source Flood

    A single source sends excessive number of IP Packets

    Layer 3 – Most Active Source

    Source Flood

    Zombie Attack

    A spike in TCP packets from Legitimate IP addresses

    Layer 3 – TCP protocol (6)

    Layer 4 – TCP ports on which the server is listening

    Layer 4 – SYN

    Layer 4 - SYN per source (syn-per-src)

    Layer 4 - New connections

    Layer 3 Protocol 6

    SYN Flood

    Zombie Flood

    Port Flood

    SYN Flood from Source

    Fragment Flood

    Excessive number of fragmented packets

    Layer 3 – Other Protocols Fragment

    Layer3 – TCP Fragment

    Layer 3 – UDP Fragment

    Other Protocols Fragment Flood

    TCP Fragment Flood

    UDP Fragment Flood

    Protocol Flood

    ICMP Flood

    An Excessive number of ICMP Packets

    Layer 3 – ICMP protocol (1)

    Layer 4 – ICMP type and code

    Protocol 1 Flood

    Layer 4 ICMP Flood of a specific type and code

    Smurf Attack

    Traffic that appears to originate from the target server’s own IP address or somewhere on its network. Targeted correctly, it can flood the network with pings and multiple responses.

    Layer 3 – ICMP protocol (1)

    Layer 4 – ICMP type and code combinations that are allowed by the firewall and ACL

    Protocol 1 Flood

    ICMP Flood of Echo-Request/Response Type (Type= 0, Code = 0)

    MyDoom Attack

    Excessive number of HTTP packets zombies

    Layer 3 – TCP protocol (6)

    Layer 4 – TCP port 80

    Layer 4 – SYN

    Layer 4 – New connections

    Protocol 6 Flood

    SYN Flood

    Zombie Flood

    TCP Port Flood

    HTTP GET Attack

    Excessive number of HTTP GET Method packets

    Layer 3 – TCP protocol (6)

    Layer 4 – TCP ports on which the server is listening

    Layer 4 – SYN

    Layer 4 – New connections

    Layer 4 – Concurrent connections per source

    Layer 7 – HTTP Methods

    Layer 7 – URL

    Protocol 6 Flood

    SYN Flood

    TCP Zombie Flood

    TCP Port Flood

    Concurrent Connections per Source Flood

    HTTP Method Flood

    URL Flood

    Slow Connection Attack

    Legitimate IP sources send legitimate TCP connections but do it slowly and remain idle, which fills up the server’s connection table memory.

    Layer 3 – TCP protocol (6)

    Layer 4 – TCP ports on which the server is listening

    Layer 4 – SYN

    Layer 4 – New connections

    Layer 4 - Concurrent connections per source

    Protocol 6 Flood

    SYN Flood

    Zombie Flood

    TCP Port Flood

    Concurrent Connections per Source

    UDP Flood Attack

    An excessive number of UDP packets.

    Layer 3 – UDP protocol (17)

    Layer 4 – UDP ports on which the server is listening

    Protocol 17 Flood

    UDP Port Flood

    Slammer Attack

    An excessive number of packets on UDP port 1434

    Layer 3 – UDP protocol (17)

    Layer 4 – UDP ports 1434

    Protocol 17 Flood

    UDP Port 1434 Flood

    Fraggle Attack

    Spoofed UDP packets to a list of broadcast addresses. Usually the packets are directed to port 7 on the target machines, which is the echo port. Other times, it is directed to the CHARGEN port. Sometimes a hacker is able to set up a loop between the echo and CHARGEN port.

    Layer 3 – ICMP protocol (1)

    Layer 3 – UDP protocol (17)

    Layer 4 – UDP echo port (7)

    Layer 4 – Daytime Protocol port (13)

    Layer 4 – Quote of the Day (QOTD) port (17)

    Layer 4 – UDP Character Generator protocol (CHARGEN) (19)

    Layer 4 – ICMP Type/Codes specific to host/port not available

    Protocol 1 Flood

    Protocol 17 Flood

    UDP Port 7 Flood

    UDP Port 13 Flood

    UDP Port 17 Flood

    UDP Port 19 Flood

    ICMP Flood of Port Not Available Type, Code (3,3)

    ICMP Flood of Host Not Available Type, Code (3,1)

    DNS Port Flood

    An excessive number of packets on UDP port 53

    Layer 3 - UDP protocol (17)

    Layer 4 - UDP port 53

    Protocol 17 UDP Flood

    UDP Port 53 Flood

    DNS Query Flood

    A spike in DNS queries and occurrences of query data.

    Layer 7 - DNS query-related thresholds

    DNS Query Flood

    Step 3: Identify the attack size

    You can use the Monitor graphs and Attack Logs to analyze the dimensions of the attack: increases in throughput and drops.

    Step 4: Analyze attack parameters in each OSI layer

    You can use the DDoS Attack log or the Monitor graphs to analyze aggregate throughput and drops due to Layer 3, Layer 4, and Layer 7 FortiDDoS rate thresholds or ACL rules.

    1. For Drop Monitor Graphs, start using the following graphs to identify the layer at which the attack is happening:
    • Aggregate Flood Drops
    • Aggregate ACL Drops
    • Aggregate Anomaly Drops
    • Out of Memory Drops
  • Drill down further by accessing statistics specific to each layer and attack type.
    • Previous
    Next