DDoS attack mitigation mechanisms
If you are new to FortiDDoS, you must first understand the tools available in your tool chest for Distributed Denial of Service (DDoS) attack mitigation. Since DDoS attacks can be of various types, FortiDDoS has a wide spectrum of capabilities for different attack types.
FortiDDoS supports the following type of countermeasures:
These can be used for deployment in the order below:
Administrative Countermeasures
Security policies, general procedures, accepted safety guidelines and so on are considered as Administrative Countermeasures. These depend on the organizations that use FortiDDoS. Examples of Administrative countermeasures are restricting IP addresses for managing FortiDDoS and restricting access authorization to different users based on their roles. This should be the first set of decisions made while designing a FortiDDoS deployment.
Preventive Countermeasures
Proactive measures fall under prevention category. These include stringent security policies that can protect the system from unwanted activities. Examples of these include IP Reputation Service, Domain Reputation Service, Geo-location ACLs, BCP-38 anti-spoofing, maintaining network hygiene by blocking unwanted protocols, ports and IP ranges and so on. These should be designed and used as the second step in the deployment.
Preventive Countermeasures | Description |
---|---|
Service Protection Policy (SPP) | This is a fundamental architectural component of FortiDDoS which ensures isolation. Every SPP, which is configured using a set of subnets/prefixes, has its own set of policies. This ensures that an attack on one SPP doesn’t impact the others. For more information about configuring SPPs, see here. |
Directional Protection | Attack mitigation in FortiDDoS is directional. Thus, an attack in one direction doesn’t impact the other. |
IP Reputation Service | The FortiGuard IP Reputation Service aggregates malicious source IP data from the Fortinet distributed network of threat sensors, CERTs, MITRE, cooperative competitors, and other global sources that collaborate to provide up-to-date threat intelligence about hostile sources. Near real-time intelligence from distributed network gateways combined with world-class research from FortiGuard Labs helps organizations stay safer and proactively block attacks. For more information about configuring IP Reputation Service, see here. |
Domain Reputation Service | The FortiGuard Domain Reputation Service provides a regularly updated list of known malicious fully qualified domain names (FQDNs). This service is used to prevent DNS servers from reaching known malicious sites and helps prevent attacks that obfuscate source IPs using hijacked domain names. For more information about configuring Domain Reputation Service, see here. |
Blocklisted IP addresses | This feature helps you to deny a large set of blocklisted IPv4 Addresses. For more information about configuring blocklisted IP addresses, see here. |
Blocklisted DNS domains | This feature helps you to deny a large set of blocklisted Domains. For more information about configuring blocklisted DNS domains, see here. |
Geo-location access control list | The geolocation policy feature enables you to block traffic from the countries you specify, as well as anonymous proxies and satellite providers, whose geolocation is unknown. For more information about configuring Geo-location access control list, see here. |
Access control list for addresses | This feature allows you to block addresses, subnets, prefixes reaching a protected address. For more information about configuring Access control list for addresses, see here. |
Access control list for services | This feature allows you to block services (such as protocols, ports, network parameters such as fragmentation, URLs, user-agents, etc.). For more information about configuring Access control list for services, see here. |
Proxy IP settings | Enabling proxy IP settings avoids false detection of attacks for certain IPs. For more information about configuring Proxy IP settings, see here. |
Detective countermeasures
A DDoS attack must be detected within the shortest time possible as accurate as it can be. A DDoS attack mitigation system must be able to separate legitimate packets from attack packets. This ensures that legitimate clients are served during attack. Examples of detective countermeasures include anomalies such as header, state, rate and so on. Other reactive countermeasures include similarity detection such as packet-length statistics.
Detective Countermeasures | Description |
---|---|
Rate anomaly detection using continuously adaptive threshold violation | This is the most well-known feature of FortiDDoS. This ensures that a single packet type (say SYN, or packet for a certain protocol or port) cannot exceed previously observed thresholds. |
Slow attack detection | Apart from detecting fast attacks, FortiDDoS can also monitor attacks that are too slow but dangerous for servers via connection table overload. |
Protocol header anomaly detection | This is done for 3, 4 and 7 protocols. Mitigation includes IPv4/v6, TCP, UDP, ICMP, DNS and HTTP header anomalies. |
State anomaly detection |
FortiDDoS maintains multiple state tables to ensure that protocol state transitions are not violated. These include:
|
Reactive countermeasures
After detecting an attack, the system need to take necessary actions to mitigate the attack. Examples of reactive mechanisms in FortiDDoS include rate limiting, selective packet dropping, aggressive aging, anti-spoofing, source tracking and so on. These are mostly event-driven countermeasures.
Reactive Countermeasures | Description |
---|---|
Rate Based | There are two types of attack mitigation:
|
Aggressive Aging | FortiDDoS can detect slow connection attacks and combat them by “aggressively aging” idle connections. In addition to the slow connection detection, you can use the SPP aggressive aging TCP connection feature control options to reset the connection (instead of just dropping the packets) when the following rate anomalies are detected:
For more information about the above features, see here. |
Anti-spoofing |
This is done via the following Source Address Validation schemes:
|
Mitigation Strategies
FortiDDoS supports the following mitigation strategies:
- Standalone mitigation
- The appliance acts standalone and mitigates DDoS attacks up to the bandwidth of the pipe.
- Hybrid mitigation
- With another FortiDDoS in the cloud - If your service provider allows another high-end FortiDDoS ahead of the pipe, FortiDDoS in the data center can communicate with the FortiDDoS in the service provider network and mitigate higher bandwidth attacks.
- With a cloud scrubbing service in the cloud - FortiDDoS in the data center can signal third-party scrubbing services and mitigate bandwidth attacks collaboratively. While the cloud scrubbing center can mitigate layer 3 and layer 4 attacks, FortiDDoS in the data center can mitigate residual attacks such as application layer, slow attacks which cannot be mitigated in the cloud.