Source tracking
This feature allows users to penalize source creating non-source attacks i.e. Protocol Flood, so that 1 high volume source shouldn’t affect other legitimate sources.
Settings |
Guidelines |
---|---|
Source Multiplier Inbound/Outbound |
Applies the specified multiplier to the packet count for traffic with a source IP address that the system has identified as the source of a flood. In effect, the multiplier makes traffic from the source violate thresholds sooner. The default is 2. For example, if the most active source threshold is 100 packets per second, and the source multiplier is 4, an identified source attacker will violate the threshold if it sends 26 packets per second. Because incoming traffic is more likely to be the source of a threat, you can configure different multipliers for incoming and outgoing traffic. |
Layer 7 Multiplier Inbound/Outbound |
Applies the specified multiplier to the packet count for traffic that the system has detected is related to a Layer 7 HTTP flood. The system tracks HTTP headers (URL or Host, Referer, Cookie or User-Agent header) and associates traffic with matching headers with the attack. The default is 2. Note: When both Source flood and Layer 7 flood conditions are met, the packet count multipliers are compounded. For example, when there is a User Agent flood attack, a source is sending a User-Agent that is overloaded. If the Source multiplier is 4 and the Layer 7 multiplier is 64, the total multiplier that is applied to such traffic is 4 x 64 = 256. In effect, each time the source sends a Layer 7 packet with that particular User-Agent header, FortiDDoS considers each packet the equivalent of 256 packets. |
To configure using the CLI: config ddos spp rule edit <spp_name> set source-multiplier-inbound <integer> set source-multiplier-outbound <integer> set layer-7-multiplier-inbound <integer> set layer-7-multiplier-outbound <integer> next end |