Aggregate

Aggregation of drops due to SPP Layer 3 thresholds.

Aggregation of drops due to SPP Layer 4 thresholds.

Aggregation of drops due to SPP Layer 7 thresholds.

Layer 3

Aggregation of drops due to protocols thresholds. These counters track the packet rate for each protocol.

Drops due to the SPP Fragment thresholds (TCP/UDP/Other Protocols).

Drops due to the SPP Most Active Source (MAS) threshold. This counter tracks dropped packets from source IP addresses.

Drops due to the SPP Most Active Destination (MAD) threshold. This counter tracks dropped packets to protected IP addresses.

Note: The Most Active Destination Threshold is set to system maximum by System Recommendations.

Layer 4

Drops due to the SPP SYN threshold. This counter shows drops due to SYN (Source IP) Validation for the aggregate rate of all SYNs into the SPP. Further SYN detail is available in the Traffic Monitor > Layer 4 graphs

Drops due to the SPP inbound SYN/ACK threshold. This counter shows drops due to SYN/ACK for the aggregate over-threshold rate to all Protected Subnets within the SPP.

Note this Threshold is only available and graphed when:

• FortiDDoS is in Asymmetric Mode with Asymmetric Mode Allow Inbound Synack enabled (Global Protection > Deployment)
• SYN/ACK in Asym Mode Threshold is manually set per Service Protection Policy > Thresholds > Scalars

Further SYN/ACK in Asym Mode detail may be available in the Traffic Monitor > Layer 4 graphs.

Drops due to the SPP inbound SYN/ACK per Destination threshold. This counter shows drops due to SYN/ACK per Destination for the over-threshold rate to any Protected IP within the SPP.

Note this Threshold is only available and graphed when:

• System is in Asymmetric Mode with Asymmetric Mode Allow Inbound Synack enabled (Global Protection > Deployment)
• SYN/ACK per Destination in Asym Mode Threshold is manually set per Service Protection Policy > Thresholds > Scalars

Further SYN/ACK per Destination in Asym Mode detail may be available in the Traffic Monitor > Layer 4 graphs.

Aggregation of drops due to the SPP rate-limiting thresholds for TCP ports.

Aggregation of drops due to the SPP rate-limiting thresholds for UDP ports.

Aggregation of drops due to the SPP rate-limiting thresholds for ICMP types/codes.

Drops due to the SPP New Connections threshold, which sets a limit for legitimate IPs. FortiDDoS assumes a zombie flood is underway when the number of allowed legitimate IP addresses during a SYN flood exceeds a set threshold. These packets indicate that non-spoofed IP addresses are creating a DDoS attack by generating a large number SYN packets. Note: The New Connections Threshold is set to system maximum by System Recommendations.

Drops due to the SPP SYN per Source threshold. This counter shows drops due to SYN per Source IP rate limiting within the SPP. No SYN Validation is done for SYN per Source. Further SYN per Source detail is available in the Traffic Monitor > Layer 4 graphs.

Drops due to the SPP Concurrent Connections per Source rate-limiting threshold.

Drops due to the SPP SYN per Destination threshold. This counter shows drops due to SYN Validation for over-threshold Protected IPs (Destinations) within the SPP. Further SYN per Destination detail is available in the Traffic Monitor > Layer 4 graphs

Drops due to SPP slow connection detection and blocking of identified sources of slow connection attacks.

Layer 7

Display of aggregate Flood drops for:

• HTTP
• SSL/TLS
• DNS
• NTP

Display of Flood drops due to HTTP thresholds for:

• Method Flood(GET, HEAD, OPTIONS, TRACE, POST, PUT, DELETE, CONNECT)
• Method per Source (aggregation of any Methods per Source IP)
• URL Flood
• Host Flood
• Referer Flood
• Cookie Flood
• User Agent Flood

Display of SSL/TLS Incomplete Request Source Flood drops for the SSL Renegotiation Threshold and Aging Timer in the SSL/TLS Profile.

Display of drops due to DNS thresholds:

• Unsolicited DNS Response Drop - Drops when a DNS Response is received but there is no DNS Query entry in the DNS Query Response Matching (DQRM) table.

• LQ Drops - Drops during any type of UDP Query Flood when the Query is not in the Legitimate Query (LQ) table.

• TTL Drop - Drops during any type of UDP Query Flood when a source IP address sends a repeated DNS UDP Query for the same destination before the TTL has expired. It is expected that the query should not be repeated until the TTL expires.

• Cache Drop - Drops during any type of UDP Query Flood when a response was served from the Cache or because a response was not found in the cache and the system is configured to drop such queries.

• Spoofed IP Drop - Drops due UDP DNS anti-spoofing checks (Retransmission or TC=1/Force TCP)

• Unexpected Query Drop - Drops due to Duplicate Query checks.

• Query Per Source Drop - Drops due to the DNS UDP Query per Source threshold. This rate-limiting threshold tracks DNS UDP Query rates from source IP addresses and does not attempt Source or Query validation. .

• Suspicious Sources Drop - Drops due to the UDP DNS Packet Track per Source threshold. This rate-limiting threshold tracks sources that demonstrate suspicious activity (a score based on heuristics that count fragmented packets, response not found in DQRM, or queries that generate responses with RCODE other than 0).

• Fragment Drop - Drops due to rate-limiting DNS Fragment threshold for UDP traffic.

• TCP Query Drop - Drops due to the rate-limiting DNS Query TCP threshold for TCP traffic.

• TCP Question Drop Drops due to the rate-limiting DNS Question Count TCP threshold for TCP traffic.

• TCP MX Drop Drops due to the rate-limiting DNS MX Count TCP threshold for TCP traffic.

• TCP All Drop Drops due to the rate-limiting DNS All TCP threshold for TCP traffic.

• TCP Zone Transfer Drop - Drops due to the rate-limiting DNS Zone Transfer TCP threshold for TCP traffic.

• Response Code Drop – Aggregate Drops due to the 15 rate-limiting DNS Rcode Thresholds.

• DNSSEC UDP Asymmetric Response per Source - Drops due to this rate-limiting.

• This Threshold is only available when FortiDDoS is configured in Asymmetric Mode.

• DNSSEC UDP Asymmetric Response - Drops due to the rate-limiting Threshold.

• This parameter shows the aggregate drops for DNSSEC Responses into the SPP.

• This Threshold is only available when FortiDDoS is configured in Asymmetric Mode.

• DNSSEC UDP Asymmetric Response per Destination - Drops due to the rate-limiting Threshold.

• This parameter shows the aggregate drops for DNSSEC Responses for single Destinations (protected IPs).

• This Threshold is only available when FortiDDoS is configured in Asymmetric Mode.

• DNSSEC UDP Unsolicited Response – UDP Drops due to the DNSSEC Message Type Match feature in a DNS Profile.

• DNSSEC TCP Unsolicited Response – TCP Drops due to the DNSSEC Message Type Match feature in a DNS Profile.

Display of drops due to NTP thresholds:

• Request Flood Drops - Drops due to rate-limiting NTP Request threshold
• Response Flood Drops - Drops due to rate-limiting NTP Response threshold
• Broadcast Flood Drops - Drops due to rate-limiting NTP Broadcast threshold
• Response per Destination Flood Drops - Drops due to rate-limiting NTP Response per Destination threshold

Display of drops due to DTLS thresholds:

• Client Hello Flood from Source - Drops due to rate-limiting of this DTLS Threshold

• Server Hello Flood from Source - Drops due to rate-limiting of this DTLS Threshold

• Server Hello Flood from Destination- Drops due to rate-limiting of this DTLS Threshold