DDoS prevention
FortiWeb Cloud
A Distributed Denial of Service attack (DDoS attack) is a cyber attack in which an attacker attempts to overwhelm a web server/site, making its resources unavailable to its intended users. Most DDoS attacks use automated tools (not browsers) on one or more hosts to generate the harmful flood of requests to a web server.
DDoS attacks can be prevented at Application layer (HTTP or HTTPS) and Network layer (TCP/IP).
As public cloud platforms already execute basic Network layer TCP Flood Prevention checks afront, when traffic comes into FortiWeb Cloud, it only detects DDoS attacks at Application layer (HTTP or HTTPS).
To configure
Configuring application-layer DDoS prevention
For some
- When FortiWeb Cloud receives the first request from any client, it adds a session cookie to the response from the web server in order to track the session. The client will include the cookie in subsequent requests.
- If a client sends another request before the session timeout, FortiWeb Cloud examines the session cookie in the request.
- If the cookie does not exist or its value has changed, FortiWeb Cloud drops the request.
- If the same cookie exists, the request is treated as part of the same session. FortiWeb Cloud increments its count of connections and/or requests from the client. If the rate exceeds the limit, FortiWeb Cloud drops the extra connection or request.
You can configure settings below to limit the number of HTTP requests and TCP connections.
HTTP Access Limit |
Enable to limit the number of HTTP requests per second from a certain IP. |
HTTP Request Limit |
Type a rate limit for the maximum number of HTTP requests per second from each source IP address that is a single HTTP client.
The rate limit should be at least 5, but could be some multiple such as 10 or 15 in order to allow 2 or 3 page loads per second from each client. It's recommended to use an initial value of 1000. |
Malicious IPs |
Enable to limit the number of TCP connections with the same session cookie. |
TCP Connection Number Limit |
Type the maximum number of TCP connections allowed with a single HTTP client. It's recommended to use an initial value of 100. |
HTTP Flood Prevention |
Enable to limit the number of HTTP connections with the same session cookie. |
HTTP Request Limit |
Type the maximum rate of requests per second allowed from a single HTTP client. It's recommended to use an initial value of 500. |
Challenge |
|
Configuring actions
- Select the action that FortiWeb Cloud takes when it detects a violation of the rule from the top right corner.
To configure the actions, you must first enable the Advanced Configuration in Global > System Settings > Settings.Alert
Accept the request and generate an alert email and/or log message.
Alert & Deny
Block the request (or reset the connection) and generate an alert email and/or log message.
Deny(no log)
Block the request (or reset the connection).
Period Block
Block the current request. Moreover, all the subsequent requests from the same client in the next 10 minutes will also be blocked. The default blocking period is 10 minutes. You can configure this value according to your own needs.