Top Attacks
The DDoS Top Attacks dashboard provides insight into the attacks that have been mitigated by the Global or any Service Protection Policy.
The Top Attacks page shows the top 20 attack events in each table. The smallest events in some tables may not be large enough to appear in the Attacks summary table. If in doubt, use the “Detail” icons in the tables described below to get further details or go to Log & Report > Logs > DDoS Attack Log tab for all attack events.
Dashboard: TOP ATTACKS > Global
The Global dashboard displays a summary of drop events caused by any ACL created via the following:
-
Global Protection > Access Control List entries, including:
-
IPv4/IPv6 IP/subnets
-
IPv4/IPv6 IP/subnet groups
-
IPv4/IPv6 Services (Protocols or Layer 4 TCP or UDP Ports)
-
IPv4/IPv6 Service Groups
-
-
Global Protection > Blocklist IPv4 files/entries
-
Global Protection > Blocklist Domain files/entries
Summary page
|
Column |
Description |
|---|---|
| Attack | Description of the drop event type. |
| Drops | Count of all drops for all matching events for the Period. |
| Events | Number of events for the Period. |
 (Detail icon) |
Click to display a summary list of all events associated with that attack event type. |
Filter the Summary tables with the following settings:
|
Setting |
Description |
|---|---|
| Direction |
Select the direction from the drop-down menu:
Inbound is the default direction. |
| Period |
Select the period from the drop-down menu:
1 Hour is the default period. Note: All periods are calculated backwards from the current time. |
Click the 
(PDF icon) to produce a PDF version of the Summary page with the table and pertinent system information.
From the Details tab, you can view the Summary event list. Click the (Detail icon) to view further detail per item. The example shown below is a pre-filtered view of the Log & Report: LOG ACCESS > Logs: DDoS Attack Log page. For more information on the contents of the tables, see Working with the FortiDDoS attack log.
Dashboard: TOP ATTACKS > SPP
The Top Attacks > SPP page offers a number of tables with attack event summaries pre-sorted in different ways for concise information.
Filter the SPP tables with the following settings:
|
Setting |
Description |
|---|---|
| Direction |
Select the direction from the drop-down menu:
Inbound is the default direction. |
| Period |
Select the period from the drop-down menu:
1 Hour is the default period. Note: All periods are calculated backwards from the current time. |
|
SPP |
Drop-down of configured SPP names plus default SPP. |
Click the (PDF icon) to produce a PDF version of the page with all associated tables and pertinent system information.
SPP Tables
Tables on the Top Attacks > SPP page provide attack data from a summary of all attacks and ACLs for all SPP to detailed parameters per SPP, such as UDP Reflection Ports. These will be detailed below.
From Release 6.5.0 all tables show directionality.
From Release 6.6.0, some tables provide direct links to matching Monitor graphs as shown in the screenshot below.
Click on Graph Link icon to navigate directly to the matching Monitor graph.
|
When done with the graph, clicking the browser’s “back” button will return you to the Top Attacks page. |
Tables supporting direct links to Monitor graphs:
-
Attacks (some attacks that have unique graphs)
-
Attacked Protocols (all Protocols shown)
-
Attacked TCP Ports (all ports shown)
-
Attacked UDP Ports (all ports shown)
-
Attacked (Attacking) UDP Reflections Ports (all ports shown)
-
Attacked ICMP Types/Codes (all Types/Codes shown)
Attacked SPPs
No matter which SPP is selected in the filter, this table shows a summary of all drops for all SPPs configured in the system.
|
Column |
Description |
|---|---|
| SPP | SPP Name. |
| Direction | Inbound/Outbound based on the option at the top of the Top Attacks page. |
| Drops | Drops counts for all events for the SPP based on the Period option at the top of the Top Attacks page. |
| Events | Number of all events for the selected SPP and Period. |
|
(Detail icon) |
Opens a pre-filtered Attack Log summary list with event summaries. Within the summary list, you can drill down further with the (Detail icon) for more information. |
Attacks Detail attack log summary list:
SPPs with Denied Packets
No matter which SPP is selected in the filter, this table shows a summary of all ACL drops for all SPPs configured in the system.
In the example below, ACLs have been configured in the Service Protection Profile (not Global).
|
Column |
Description |
|---|---|
| SPP | SPP Name. |
| Direction | Inbound/Outbound based on the option at the top of the Top Attacks page. |
| Drops | Drops counts for all events for the SPP based on the Period option at the top of the Top Attacks page. |
| Events | Number of all events for the selected SPP and Period. |
|
(Detail icon) |
Opens a pre-filtered Attack Log summary list with event summaries. Within the summary list, you can drill down further with the |
Attacks
Displays the Top Attacks over the Period for the selected SPP.
|
Column |
Description |
|---|---|
| Graph Link |
|
| SPP | SPP Name. |
|
Direction |
Inbound/ Outbound |
| Drops | Drops counts for all events for the SPP based on the Period option at the top of the Top Attacks page. |
| Events | Number of all events for the selected SPP and Period. |
|
(Detail icon) |
Opens a pre-filtered Attack Log summary list with event summaries. Within the summary list, you can drill down further with the |
ACL Attacks
Displays the ACL Attacks over the Period for the selected SPP.
|
Column |
Description |
|---|---|
| Attack | Attack event name. |
|
Direction |
Inbound/ Outbound |
| SPP | SPP Name. |
| Drops | Drops counts for all events for the SPP based on the Period option at the top of the Top Attacks page. |
| Events | Number of all events for the selected SPP and Period. |
|
(Detail icon) |
Opens a pre-filtered Attack Log summary list with event summaries. Within the summary list, you can drill down further with the |
Attacked Destinations
Displays the Top Attacks per Protected IP address over the Period, contained in the Protection Subnets for the selected SPP.
|
Column |
Description |
|---|---|
| Protected IP |
The Destination IP for inbound drops. The Source IP for outbound drops. |
| SPP | SPP Name. |
|
Direction |
Inbound/ Outbound |
| Drops | Drops counts for all events for the SPP based on the Period option at the top of the Top Attacks page. |
| Events | Number of all events for the selected SPP and Period. |
|
(Detail icon) |
Opens a pre-filtered Attack Log summary list with event summaries. Within the summary list, you can drill down further with the |
Attackers
Displays the Top Attacks per identified Source IP address for the SPP over the Period.
These attacks see any dropped traffic from attack events that provide Source IP information. Use the Detail icon to open a summary list and then the Detail icon on each line of the summary list to get complete details of the Source IP and attack event.
|
Column |
Description |
|---|---|
| IP |
The Destination IP for inbound drops. The Source IP for outbound drops. |
| SPP | SPP Name. |
|
Direction |
Inbound/ Outbound |
| Drops | Drops counts for all events for the SPP based on the Period option at the top of the Top Attacks page. |
| Events | Number of all events for the selected SPP and Period. |
|
(Detail icon) |
Opens a pre-filtered Attack Log summary list with event summaries. Within the summary list, you can drill down further with the |
Protocols
Displays the Top Attacked Layer 3 Protocols for the SPP over the Period.
This table is specific to Protocol Threshold violations. Thresholds does not include drops from other types of attacks. For example, a UDP Port flood is shown in the Top Attacked UDP Ports table and will not show here.
|
Column |
Description |
|---|---|
| Protocol |
The Layer 3 Protocol number and name (if available). |
|
Graph Link |
|
| SPP | SPP Name. |
|
Direction |
Inbound/ Outbound |
| Drops | Drops counts for all events for the SPP based on the Period option at the top of the Top Attacks page. |
| Events | Number of all events for the selected SPP and Period. |
|
(Detail icon) |
Opens a pre-filtered Attack Log summary list with event summaries. Within the summary list, you can drill down further with the |
Attacked TCP Ports
Displays the Top Attacked TCP Ports for the SPP over the Period. The table specifically shows drops from TCP Port Threshold violations.
|
Column |
Description |
|---|---|
| Port |
The TCP Port number and any known applications associated with that port. |
|
Graph Link |
|
| SPP | SPP Name. |
|
Direction |
Inbound/ Outbound |
| Drops | Drops counts for all events for the SPP based on the Period option at the top of the Top Attacks page. |
| Events | Number of all events for the selected SPP and Period. |
|
(Detail icon) |
Opens a pre-filtered Attack Log summary list with event summaries. Within the summary list, you can drill down further with the |
Attacked UDP Ports
Displays the Top Attacked UDP Ports for the SPP over the Period.
|
Column |
Description |
|---|---|
| Port |
The UDP Port number and any known applications associated with that port. |
|
Graph Link |
|
| SPP | SPP Name. |
|
Direction |
Inbound/ Outbound |
| Drops |
Drops from UDP Port Threshold violations. This may include:
|
| Events | Number of all events for the selected SPP and Period. |
|
(Detail icon) |
Opens a pre-filtered Attack Log summary list with event summaries. Within the summary list, you can drill down further with the |
Attacked UDP Reflection Ports
Displays the Top Attacking UDP Reflection (Source) Ports for the SPP over the Period.
|
Column |
Description |
|---|---|
| Port |
The UDP Source Port number and any known applications associated with that port. |
|
Graph Link |
|
| SPP | SPP Name. |
|
Direction |
Inbound/ Outbound |
| Drops |
Drops from UDP Port Threshold violations. This may include:
|
| Events | Number of all events for the selected SPP and Period. |
|
(Detail icon) |
Opens a pre-filtered Attack Log summary list with event summaries. Within the summary list, you can drill down further with the |
Top Attacked ICMP Types/Codes
Displays the Top Attacked ICMP Types and Codes for the SPP over the Period.
|
Column |
Description |
|---|---|
| Type:Code |
The Type (0-255) and Code (0-255) of the drops. |
| Graph Link |
|
| SPP | SPP Name. |
|
Direction |
Inbound/Outbound |
| Drops | Drops counts for all events for the SPP based on the Period option at the top of the Top Attacks page. |
| Events | Number of all events for the selected SPP and Period. |
|
(Detail icon) |
Opens a pre-filtered Attack Log summary list with event summaries. Within the summary list, you can drill down further with the |
Attacked DNS Servers
Displays the Top Attacked DNS Servers in the SPP over the Period.
This table displays any drops associated with UDP or TCP Destination or Source Port 53, including Query and Response Thresholds DNS Anomalies, Query/Response matching, etc.
Attackers use various DNS attacks on many types of infrastructure and services so the Protected IPs shown in the IP column may not be DNS servers. Use the detail icon for further information.
|
Column |
Description |
|---|---|
| IP |
The Destination IP for inbound drops. The Source IP for outbound drops. |
| SPP | SPP Name. |
|
Direction |
Inbound/Outbound |
| Drops | Drops counts for all events for the SPP based on the Period option at the top of the Top Attacks page. |
| Events | Number of all events for the selected SPP and Period. |
|
(Detail icon) |
Opens a pre-filtered Attack Log summary list with event summaries. Within the summary list, you can drill down further with the |
Attacked HTTP Servers
Displays the Top Attacks per Protected IP address for HTTP Servers in the SPP, over the Period.
These attacks see any dropped traffic destined to Port 80 or any customer-defined HTTP Service Port. IP addresses shown here may not be HTTP servers, since attackers can send traffic to Port 80 on non-HTTP servers, attempting to evade protections.
|
Column |
Description |
|---|---|
| IP |
The Destination IP for inbound drops. The Source IP for outbound drops. |
| SPP | SPP Name. |
|
Direction |
Inbound/ Outbound |
| Drops | Drops counts for all events for the SPP based on the Period option at the top of the Top Attacks page. |
| Events | Number of all events for the selected SPP and Period. |
|
(Detail icon) |
Opens a pre-filtered Attack Log summary list with event summaries. Within the summary list, you can drill down further with the |
Attacked HTTP URLs | Hosts | Cookies | Referers | User Agents
Multiple tables displaying the Top Attacked HTTP URLs | Hosts | Cookies | Referers | User Agents for the SPP over the Period.
|
Column |
Description |
|---|---|
|
HTTP: -URLs -Hosts -User Agents -Referers -Cookies |
The hashed index number of the HTTP URLs, Hosts, User Agents, Referers, and Cookies. This does not include the full text. If you need assistance with the various HTTP hashes, contact FortiCare. |
| SPP | SPP Name. |
|
Direction |
Inbound/Outbound |
| Drops | Drops counts for all events for the SPP based on the Period option at the top of the Top Attacks page. |
| Events | Number of all events for the selected SPP and Period. |
|
(Detail icon) |
Opens a pre-filtered Attack Log summary list with event summaries. Within the summary list, you can drill down further with the |
Attacked HTTP Methods
Displays the Top Attacked HTTP Methods for the SPP over the Period.
|
Column |
Description |
|---|---|
| HTTP Method |
Which of the 8 HTTP Methods were used in the attack: GET, POST, HEAD, OPTIONS, TRACE, PUT, CONNECT, DELETE. |
| SPP | SPP Name. |
|
Direction |
Inbound/ Outbound |
| Drops | Drops counts for all events for the SPP based on the Period option at the top of the Top Attacks page. |
| Events | Number of all events for the selected SPP and Period. |
|
(Detail icon) |
Opens a pre-filtered Attack Log summary list with event summaries. Within the summary list, you can drill down further with the |