Using the Flood Drops graphs
Use the Flood Drops graphs to monitor drops due to SPP packet rate thresholds that detect flood attacks.
Customize the graph with the following viewing parameters: SPP, Reporting Period (1-hr to 1-yr), Linear/Logarithmic Y-Axis.
Placing the cursor on the Monitor graph will display a tool-tip with additional information.
For many parameters additional information will be see in the Traffic Monitor Graphs.
Before you begin:
- You must have Read permission for the Monitor menu.
- Refer to Reading Monitor graphs to understand the graphs in detail.
To display the graph:
- Go to Monitor > Drops Monitor > SPP > Flood Drops Tab > [SPP] [Aggregate/Layer 3/4/7] [Y-Axis View] [Reporting Period].
The following summarizes the statistics displayed in the graphs.
Statistic |
Description |
---|---|
Aggregate |
|
Layer 3 |
Aggregation of drops due to SPP Layer 3 thresholds. |
Layer 4 |
Aggregation of drops due to SPP Layer 4 thresholds. |
Layer 7 |
Aggregation of drops due to SPP Layer 7 thresholds. |
Layer 3 |
|
Protocols |
Aggregation of drops due to protocols thresholds. These counters track the packet rate for each protocol. |
Fragmented Packets |
Drops due to the SPP Fragment thresholds (TCP/UDP/Other Protocols). |
Source Flood |
Drops due to the SPP Most Active Source (MAS) threshold. This counter tracks dropped packets from source IP addresses. |
Destination Flood |
Drops due to the SPP Most Active Destination (MAD) threshold. This counter tracks dropped packets to protected IP addresses. Note: The Most Active Destination Threshold is set to system maximum by System Recommendations. |
Layer 4 |
|
SYN |
Drops due to the SPP SYN threshold. This counter shows drops due to SYN (Source IP) Validation for the aggregate rate of all SYNs into the SPP. Further SYN detail is available in the Traffic Monitor > Layer 4 graphs |
SYN/ACK Flood in asymmetric mode |
Drops due to the SPP inbound SYN/ACK threshold. This counter shows drops due to SYN/ACK for the aggregate over-threshold rate to all Protected Subnets within the SPP. Note this Threshold is only available and graphed when:
Further SYN/ACK in Asym Mode detail may be available in the Traffic Monitor > Layer 4 graphs. |
SYN/ACK per Destination Flood in asymmetric mode |
Drops due to the SPP inbound SYN/ACK per Destination threshold. This counter shows drops due to SYN/ACK per Destination for the over-threshold rate to any Protected IP within the SPP. Note this Threshold is only available and graphed when:
Further SYN/ACK per Destination in Asym Mode detail may be available in the Traffic Monitor > Layer 4 graphs. |
TCP Ports |
Aggregation of drops due to the SPP rate-limiting thresholds for TCP ports. |
UDP Ports |
Aggregation of drops due to the SPP rate-limiting thresholds for UDP ports. |
ICMP Types/Codes |
Aggregation of drops due to the SPP rate-limiting thresholds for ICMP types/codes. |
Zombie Flood |
Drops due to the SPP New Connections threshold, which sets a limit for legitimate IPs. FortiDDoS assumes a zombie flood is underway when the number of allowed legitimate IP addresses during a SYN flood exceeds a set threshold. These packets indicate that non-spoofed IP addresses are creating a DDoS attack by generating a large number SYN packets. Note: The New Connections Threshold is set to system maximum by System Recommendations. |
SYN Per Source |
Drops due to the SPP SYN per Source threshold. This counter shows drops due to SYN per Source IP rate limiting within the SPP. No SYN Validation is done for SYN per Source. Further SYN per Source detail is available in the Traffic Monitor > Layer 4 graphs. |
Concurrent Connections Per Source |
Drops due to the SPP Concurrent Connections per Source rate-limiting threshold. |
SYN Per Destination |
Drops due to the SPP SYN per Destination threshold. This counter shows drops due to SYN Validation for over-threshold Protected IPs (Destinations) within the SPP. Further SYN per Destination detail is available in the Traffic Monitor > Layer 4 graphs |
Slow Connection |
Drops due to SPP slow connection detection and blocking of identified sources of slow connection attacks. |
Layer 7 |
|
Aggregate |
Display of aggregate Flood drops for:
|
HTTP |
Display of Flood drops due to HTTP thresholds for:
|
SSL/TLS |
Display of SSL/TLS Incomplete Request Source Flood drops for the SSL Renegotiation Threshold and Aging Timer in the SSL/TLS Profile. |
DNS Validation |
Display of drops due to DNS thresholds:
|
DNS Threshold |
Display of drops due to DNS thresholds:
|
DNSSEC |
Display of drops due to DNS thresholds:
|
NTP |
Display of drops due to NTP thresholds:
|
DTLS |
Display of drops due to DTLS thresholds:
|
QUIC |
Display of drops due to QUIC thresholds:
|
Video Conference |
Display of drops due to Zoom UDP Thresholds. |