• SYN cookie (Recommended)—Sends a SYN/ACK with a cookie value in the TCP sequence field. If it receives an ACK back with the right cookie, a SYN/RST packet is sent and the IP address is added to the legitimate IP address table. When the client then automatically retries, it succeeds in making a TCP connection. Fortinet recommends this option.
• ACK cookie—Sends the client two ACK packets: one with a correct ACK number and another with a wrong number. The system determines whether the source is spoofed based on the client’s response. If the client’s response indicates that the source is not spoofed, FortiDDoS allows the connection and adds the source to the legitimate IP address table. Fortinet recommends this option if you have enough bandwidth in the reverse direction of the attack.
• SYN retransmission—Drops the initial SYNs to force the client to send a SYN again. If the expected number of retransmitted SYNs arrive within the predetermined time period, the system considers the source to be legitimate. FortiDDoS then allows the connection to go through and adds the source to the legitimate IP address table. Fortinet no longer recommends this option

SYN with Payload blocks SYN packets that are tno header-only packets - they have additional, usually-malicious payload. Attackers use SYN with Payload to increase the size of their attacks.

However, a draft IETF standard (Fast Open) allows payload with SYNs and some Hosting companies are experimenting with it. If you see SYNwithPayload drops, investigate the Protected IPs.

Inbound Recommended

Outbound not normally required - Expert use

Use this section to specify:

• Slow connection detection settings (Type, Threshold and ObservationPeriod). These settings are only used if Slow TCP Connections is enabled below in TCP Session Settings.
• Slow Connection Source Blocking option

Expert use only: Many servers allow logins or allow long idle times, which may trigger TCP Slow Connections and unexpectedly drop legitimate connections. Use FortiWeb or FortiADC to manage slow connections on these types of servers.

Note the following:

• Do not use Slow Connection settings with asymmetric traffic. FortiDDoS counts Bytes for the connection in both directions since a single command may result in a large file download with occasional ACKs from the client. If FortiDDoS does not see the outbound packets (for example), it may trigger a false positive Slow Connection.
• Do not use Slow Connections settings with any authenticating servers such as SSL-VPN, FTP or any server that allows a user to login and stay idle for any period of time (e-commerce, for example). Idle sessions will trigger Slow Connection mitigation and may drop the user’s session unexpectedly.
• Slow Connection settings are best tuned while the system is in Prevention Mode. If attempting in Detection Mode, enable Block Sources with Slow TCP Connections. This will provide additional logging information, BUT it may also result in a large number of 'Foreign Packet' drops which can be ignored.

• Slow Connection Type

Select one of the following options from the drop-down:

• Moderate: Uses predefined thresholds to detect slow connection attacks.
• Aggressive: Uses more aggressive (lower) thresholds to detect slow connection attacks.
• User Defined: Enables advanced users to specify custom thresholds to detect slow connection attacks.
• None (Default): Do not monitor for slow connection attacks. If this setting is chosen, disable TCP Sessions Settings > Aggressive Aging Feature Control: Slow TCP Connections below as well.

Note: To reduce false positives, Fortinet recommends you to initially set the option to moderate and switch to aggressive only if required. When the 'User Defined' option is selected, the defaults are set to 1 Byte per 15 seconds which allows lower rates than the default 'moderate' setting. We recommend to use the predefined moderate and Aggressive values as guidelines to help you specify your own settings.

Thresholds are triggered when a session sends or receives data at a SLOWER rate than the number of Bytes over the Observation Threshold.

• Block Sources With Slow TCP Connections

Normally enabled if above Slow Connection Type is not None.

This results in an attack log called 'Slow Connection: Source flood'. this log includes the Source IP of the Slow Connection, which is useful for analysis and potentially ACLing the Source.

Use this option with care. Using Block Sources will block all traffic from those Sources. For example, if one client behind a firewall is creating a Slow Connection, all traffic from the firewall will be blocked.

Disabling this option results in an attack event called Foreign Packets (Aggressive Aging and Slow Connections) which is shared with other Aggressive Aging events (see Aggressive aging.)

Expert

No

• Slow Connection Byte Threshold

The number of Bytes that must be seen within the Observation Period below to prevent triggering Slow Connection Mitigation.

Note, this number is pre-filled for Types: Moderate or Aggressive and can be customized for Type: User Defined. If Type: None is selected, numbers are shown in the Byte Threshold but are ignored.

Expert

No

• Slow Connection Observation Period

The time period (in seconds) during which Bytes are counted. Once the Byte threshold above is crossed, the Observation Period is reset and the Byte count starts again.

Note, this number is pre-filled for Types: Moderate or Aggressive and can be customized for Type: User Defined. If Type: None is selected, numbers are shownin the Observation Period but are ignored.

Expert

No

• Sequence Validation

Drops packets with invalid TCP sequence numbers.

Expert use: Sequence number is an end-point mechanism and vendors that control both end-points (Client-Server apps or point-to-pong devices like WANop) can manipulate the Sequence number for their own use, which violates RFCs and results in dropped traffic when this feature is enabled. Out of Sequence packets are not known as DDoS floods and if used, will be seen by other DDoS parameters

Expert/Disable

Expert/Disable

• SYN Validation

Enables SYN Flood validation using the method selected above. If this is NOT enabled, SYN Thresholds are ignored and SYN Floods are not mitigated.

If this feature is enabled in DETECTION Mode and there is a SYN Flood, the system is unable to send validation packets, resulting in unusual logging.

This feature should be disabled while in DETECTION Mode.

Disable

• State Transition Anomalies Validation

Drops packets with TCP state transitions that are invalid. For example, if an ACK packet is received when FortiDDoS has not observed a SYN/ACK packet, it is a state transition anomaly.

FortiDDoS features can be used in Asyymetric Mode, provided Allow Inbound SYN-ACK is also enabled. See Global Protection features.

Enable

• Foreign Packet Validation

Drops TCP packets without an existing TCP connection and reports them as a foreign packet. In most cases, the foreign packets validation is useful for filtering out junk.

Note: Inbound Foreign Packets will be passed in DETECTION Mode and may result in matching outbound Foeign Packets. If in doubt, disable Foreign Packet Validation when the SPP is in DETECTION mode.

Disable

• Allow Tuple Reuse

Allows a new connection with the same 5-tuple (Sooure IP:port, Protocol, Destination IP:Port) while the existing connection is in the closed or close-wait, fin-wait, time-wait states.

• Allow Duplicate SYN in SYN Sent

Allows duplicate TCP SYN packets during the SYN-SENT state. It allows this type of packet even if the sequence numbers are different.

Enable

• Allow Duplicate SYN in SYN Recv

Allows duplicate TCP SYN packets during the SYNRECV

state. It allows this type of packet even if the

sequence numbers are different.

• Allow SYN Anomaly

Allows duplicate TCP packets during any other state even if the sequence numbers are different from the existing connection entry. This is equivalent to allowing the packet without updating an existing connection entry with the new information from the allowed packet.

• Allow SYN ACK Anomaly

• Allow ACK Anomaly

• Allow RST Anomaly

• Allow FIN Anomaly

• Drop Threshold For Foreign Packets

If Foreign Packet Validation is enabled, this optional field is shown. Default value is 0 with range 0-65535.

If a non-zero Threshold is added here, Foreign Packets will not be dropped nor displayed unless their packet rate exceeds the Threshold when they will be dropped and displayed in logs and graphs.

Use this Threshold if Foreign Packet drop logs are distracting, since most customers will see small numbers of drops every logging cycle.

Note: If the Foreign Packet Threshold is set and Foreign Packet Validation is disabled, the Threshold is reset to 0 and must be replaced when Foreign Packet Validation is re-enabled.

• Strict Anomalies

Drops various TCP Header Anomalies including:

• TCP Checksum Error
• TCP Invalid Flag Combination
• Other header anomalies, such as incomplete packet
• SYN or FIN or RST is set for fragmented packets
• Data offset is less than 5 for a TCP packet
• End of packet is detected before the 20 bytes of TCP header
• Length field in Window scale option other than 3 in a TCP packet

Aggressive Aging Feature Control

Controls sending RSTs to servers

High Concurrent Connection per Source

Sends TCP RSTs to the protected destination server(s) to reset connections from the identified Source IP when

the Concurrent Connection per Source threshold is crossed.

Optional. System cannot send RSTs in Detection mode which may result in unusually logging.

Slow TCP Connections

Sends TCP RSTs to the protected destination server(s) to reset connections from the identified source depending on the Slow Connection settings above.

Optional. System cannot send RSTs in Detection mode which may result in unusually logging.

Expert

TCP Session Idle Timeout

Idle timeout period for any TCP session. The default value is 528 seconds. Use this timer to age idle TCP sessions (sessions with no traffic for long periods),

for all connections and ports. This timer should match other idle timers in your infrastructure such as firewalls.

Always monitored

TCP Session Idle Timeout Unit

Seconds, Minutes, Hours.

TCP Session Extended Timeout

Extended timeout value for specific IP addresses (IPv4 only) where the timeout should be longer than the idle timeout period. For example, this setting can be configured for specific IP addresses in environments where persistent SSH/TELNET/HTTP connections are used. This timer should be longer than the TCP Session Idle Timeout. See also, Session timeout precedence and application, below.

Always monitored

TCP Session Extended Timeout Unit

Seconds, Minutes, Hours.

TCP Session Extended Source Type

IPv4 Address or IPv4 Address Group

Always monitored