Address and Service
DDoS attacks that use spoofed source IP addresses require more specific and targeted configurations to stop.
For example, a small Mirai-style botnet can produce 500,000 random source IPs per second. These spoofed source IPs can then be used in large numbers of known reflector servers. In a scenario where there are more than 2 million public NTP servers that can be used to reflect NTP Response floods to your network and 2 million DNS servers that can do the same for reflected DNS Response floods, using FortiDDoS ACLs would be ineffective in stopping the DDoS attacks due to the sheer number of possible "attackers" that result from the spoofed sources. Innocent users or customers may trigger the ACL as well. In this case, use FortiDDoS features such as DNS DQRM, NTP Reflection Deny, or Thresholds to protect your network autonomously from attacks from real or spoofed source IPs.
In another scenario, you may be using a Geolocation to block a country from accessing your web servers for normal connections. However, this would not stop a DDoS attacker from the country blocked by the geolocation because the attacker's botnet can automatically randomize all source IPs or craft packets to look like they are coming from your country or even your own network.
For these cases, use ACLs for specific addresses and services that you will not use at any time during normal traffic conditions.
In the System > Address and Service page, you can create the following objects for use in the Global and Service protection Profile ACLs to target specific IP addresses and services.
|
Object |
Description |
|---|---|
| Address IPv4 |
Includes IPv4 address/netmask from /32, IPv4 address ranges and geolocation Countries. Note: Geolocation objects can only be assigned to Global Access Control Lists (they cannot be used by Service Protection Profile ACLs). |
| Address IPv4 Group | Groups of preconfigured Address IPv4 objects. |
| Address IPv6 | Includes IPv6 address/netmask from /128 and IPv6 address ranges |
| Address IPv6 Group | Groups of preconfigured Address IPv6 objects. |
| Service |
Service definitions include:
The system is pre-populated with 24 well-known UDP Reflection Ports that are used for when there are no useful traffic. For example, these can be grouped in an Anti-Reflection ACL. If you are unsure, let the system create Thresholds for these ports as normal. DDoS protections will work without these ACLs. |
| Service Group |
Groups the preconfigured Services. For example, if you know you are not seeing any valid traffic on the preconfigured UDP Reflection Ports, you can Group these into a single Anti-UDP-Reflection-Group to use in Global or Service Protection Policy ACLs. |
Address IPv4
You can create address objects to identify IPv4 addresses and subnets that you want to match in the following policy rule bases:
- Global ACL
- Do Not Track
- SPP ACL
- TCP Session Extended Source Address IPv4
Before you begin:
- You must have Read-Write permission for Global Settings.
To configure IPv4 addresses:
- Go to System > Address and Service> Address IPv4.
- Click Add to display the configuration editor.
- Complete the configuration as described in the following table.
- Save the configuration.
|
Setting |
Description |
|---|---|
| Name | Configuration name. Must not contain spaces. |
| Type |
Address Netmask- Create an entry for a subnet using an IP address/mask notation. Address Range - Create an entry for a address range with “Address Range From” and “To” . Geo - Create an entry for an address list belonging to a country or area. |
|
To configure using the CLI: config system address4 edit addr1 set type {ip-netmask|ip-range|geo} set ip-netmask <ip/mask> set ip-max <ip> set ip-min <ip> set country <string> next end |
Address IPv4 Group
Create an address group to include one or more address objects.
To configure IPv4 Address Group:
- Go to System > Address and Service> Address IPv4 Group.
- Click Add to display the configuration editor.
- Complete the configuration and click Save.
|
|
To configure using the CLI: config system addressgrp edit <name> set member-list <address1> <address2> … next end |
Address IPv6
You create address objects to identify IPv6 addresses and subnets that you want to match in the following policy rule bases:
- Global ACL
- Do Not Track
- SPP ACL
Before you begin:
- You must have Read-Write permission for Global Settings.
To configure IPv6 addresses:
- Go to Global System > Address and Service> Address IPv6.
- Click Add to display the configuration editor.
- Complete the configuration and click Save.
|
|
To configure using the CLI: config system addressgrp edit <name> set member-list <address1> <address2> … next end |
Address IPv6 Group
To configure IPv6 Address Group:
- Go to System > Address and Service> Address IPv4 Group.
- Click Add to display the configuration editor.
- Complete the configuration and click Save.
|
|
To configure using the CLI: config system addressgrp6 edit <name> set member-list <address ipv6> <address ipv6> … next end |
Service
You configure service objects to identify the services that you want to match in SPP ACL or Global ACL policies.
Before you begin:
- You must have Read-Write permission for Protection Profile settings.
To configure service objects:
- Go to System > Address and Service> Service.
- View all build-in service.
- Click Add to display the configuration editor.
- Select Protocol type and set protocol ID.
- Complete the configuration and click Save.
|
|
To configure using the CLI: config system service edit <name> set protocol-type {ip|icmp|tcp|udp|tcp-and-udp} set specify-source-port {enable|disable} set source-port-min <0-65535> set source-port-max <0-65535> set destination-port-min <0-65535> set destination-port-max <0-65535> next end |
Service Group
To configure Service Group:
1. Go to System > Address and Service> Service Group.
2. Click Add to display the configuration editor.
3. Complete the configuration and click Save.
|
|
To configure using the CLI: config system servicegrp edit <name> set member-list <service1> <service2> … next end |