Fortinet black logo

User Guide

DDoS prevention

Copy Link
Copy Doc ID 2ffc9903-bcb4-11e9-8977-00505692583a:840522
Download PDF

DDoS prevention

FortiWeb Cloud DDoS prevention is a service that protects you against DDoS high-volume attacks.

A Distributed Denial of Service attack (DDoS attack) is a cyber attack in which an attacker attempts to overwhelm a web server/site, making its resources unavailable to its intended users. Most DDoS attacks use automated tools (not browsers) on one or more hosts to generate the harmful flood of requests to a web server.

DDoS attacks can be prevented at Application layer (HTTP or HTTPS) and Network layer (TCP/IP).
As public cloud platforms already execute basic Network layer TCP Flood Prevention checks afront, when traffic comes into FortiWeb Cloud, it only detects DDoS attacks at Application layer (HTTP or HTTPS).

To configure DDoS prevention , you must have already enabled this module in Add Modules. See How to add or remove a module.

Configuring application-layer DDoS prevention

For some DDoS prevention features, FortiWeb Cloud uses session management to track requests.

  1. When FortiWeb Cloud receives the first request from any client, it adds a session cookie to the response from the web server in order to track the session. The client will include the cookie in subsequent requests.
  2. If a client sends another request before the session timeout, FortiWeb Cloud examines the session cookie in the request.
    • If the cookie does not exist or its value has changed, FortiWeb Cloud drops the request.
    • If the same cookie exists, the request is treated as part of the same session. FortiWeb Cloud increments its count of connections and/or requests from the client. If the rate exceeds the limit, FortiWeb Cloud drops the extra connection or request.

You can configure settings below to limit the number of HTTP requests and TCP connections.

HTTP Access Limit

Enable to limit the number of HTTP requests per second from a certain IP.

HTTP Request Limit

Type a rate limit for the maximum number of HTTP requests per second from each source IP address that is a single HTTP client.
For example, if loading a web page involves:

  • 1 HTML file request
  • 1 external JavaScript file request
  • 3 image requests

The rate limit should be at least 5, but could be some multiple such as 10 or 15 in order to allow 2 or 3 page loads per second from each client.

It's recommended to use an initial value of 1000.

Malicious IPs

Enable to limit the number of TCP connections with the same session cookie.

TCP Connection Number Limit

Type the maximum number of TCP connections allowed with a single HTTP client.

It's recommended to use an initial value of 100.

HTTP Flood Prevention

Enable to limit the number of HTTP connections with the same session cookie.

HTTP Request Limit

Type the maximum rate of requests per second allowed from a single HTTP client.

It's recommended to use an initial value of 500.

Challenge

  • Real Browser Enforcement—Specifies whether FortiWeb Cloud returns a JavaScript to the client to test whether it is a web browser or automated tool when it meets any of the specified conditions.
  • CAPTCHA Enforcement—Requires the client to successfully fulfill a CAPTCHA request.

Configuring actions

  1. Select the action that FortiWeb Cloud takes when it detects a violation of the rule from the top right corner.
    To configure the actions, you must first enable the Advanced Configuration in Global > System Settings > Settings.

    Alert

    Accept the request and generate an alert email and/or log message.

    Alert & Deny

    Block the request (or reset the connection) and generate an alert email and/or log message.

    Deny(no log)

    Block the request (or reset the connection).

    Period Block

    Block the current request. Moreover, all the subsequent requests from the same client in the next 10 minutes will also be blocked. The default blocking period is 10 minutes. You can configure this value according to your own needs.

DDoS prevention

FortiWeb Cloud DDoS prevention is a service that protects you against DDoS high-volume attacks.

A Distributed Denial of Service attack (DDoS attack) is a cyber attack in which an attacker attempts to overwhelm a web server/site, making its resources unavailable to its intended users. Most DDoS attacks use automated tools (not browsers) on one or more hosts to generate the harmful flood of requests to a web server.

DDoS attacks can be prevented at Application layer (HTTP or HTTPS) and Network layer (TCP/IP).
As public cloud platforms already execute basic Network layer TCP Flood Prevention checks afront, when traffic comes into FortiWeb Cloud, it only detects DDoS attacks at Application layer (HTTP or HTTPS).

To configure DDoS prevention , you must have already enabled this module in Add Modules. See How to add or remove a module.

Configuring application-layer DDoS prevention

For some DDoS prevention features, FortiWeb Cloud uses session management to track requests.

  1. When FortiWeb Cloud receives the first request from any client, it adds a session cookie to the response from the web server in order to track the session. The client will include the cookie in subsequent requests.
  2. If a client sends another request before the session timeout, FortiWeb Cloud examines the session cookie in the request.
    • If the cookie does not exist or its value has changed, FortiWeb Cloud drops the request.
    • If the same cookie exists, the request is treated as part of the same session. FortiWeb Cloud increments its count of connections and/or requests from the client. If the rate exceeds the limit, FortiWeb Cloud drops the extra connection or request.

You can configure settings below to limit the number of HTTP requests and TCP connections.

HTTP Access Limit

Enable to limit the number of HTTP requests per second from a certain IP.

HTTP Request Limit

Type a rate limit for the maximum number of HTTP requests per second from each source IP address that is a single HTTP client.
For example, if loading a web page involves:

  • 1 HTML file request
  • 1 external JavaScript file request
  • 3 image requests

The rate limit should be at least 5, but could be some multiple such as 10 or 15 in order to allow 2 or 3 page loads per second from each client.

It's recommended to use an initial value of 1000.

Malicious IPs

Enable to limit the number of TCP connections with the same session cookie.

TCP Connection Number Limit

Type the maximum number of TCP connections allowed with a single HTTP client.

It's recommended to use an initial value of 100.

HTTP Flood Prevention

Enable to limit the number of HTTP connections with the same session cookie.

HTTP Request Limit

Type the maximum rate of requests per second allowed from a single HTTP client.

It's recommended to use an initial value of 500.

Challenge

  • Real Browser Enforcement—Specifies whether FortiWeb Cloud returns a JavaScript to the client to test whether it is a web browser or automated tool when it meets any of the specified conditions.
  • CAPTCHA Enforcement—Requires the client to successfully fulfill a CAPTCHA request.

Configuring actions

  1. Select the action that FortiWeb Cloud takes when it detects a violation of the rule from the top right corner.
    To configure the actions, you must first enable the Advanced Configuration in Global > System Settings > Settings.

    Alert

    Accept the request and generate an alert email and/or log message.

    Alert & Deny

    Block the request (or reset the connection) and generate an alert email and/or log message.

    Deny(no log)

    Block the request (or reset the connection).

    Period Block

    Block the current request. Moreover, all the subsequent requests from the same client in the next 10 minutes will also be blocked. The default blocking period is 10 minutes. You can configure this value according to your own needs.