Fortinet black logo

User Guide

How to block the ongoing DDoS attack

Copy Link
Copy Doc ID 8d4237ec-c163-11ee-8c42-fa163e15d75b:375776
Download PDF

How to block the ongoing DDoS attack

To identify the characteristics of HTTP requests in a DDoS attack and add security rules to defend against it, the following methods can be used to analyze the attack and set up rules to block it:

STEP 1: Limiting the frequency and blocking source IP addresses

Check the server's HTTP access logs to examine the frequency and source IP address of requests. Attackers often flood the server with a large number of fake requests, so it is possible to identify malicious requests based on their frequency and source IP address.

The following rules can be set on FortiWeb Cloud to limit the frequency and block the source IPs:

  • DDoS Prevention

    Set up rules to limit the frequency of HTTP requests and TCP connections (e.g., set the limit to 50).

    For more information, see DDoS prevention

  • Access Rules > IP Protection

  1. Enable IP Reputation to block client access based on up-to-date threat intelligence.
  2. Select the countries of origin for the attacks.
  3. Add the source IP addresses of the attacks in the IP List.
    Please note that source IP blocking can also be set in Advanced Applications > Custom Rule.

For more information, see IP Protection.

STEP 2: Blocking requests based on user-agent, parameters, HTTP headers, etc.

  • Analyze the user-agent field in the HTTP requests as attackers often use custom user-agents to hide their identity. Identify specific user-agents that are likely malicious.

  • Check the parameters in the HTTP requests as attackers may use specific parameters to try to bypass security measures (e.g., look for common attack parameters like 'wp-admin').

  • Use an HTTP header analyzer to examine the HTTP request headers in the attack, such as Accept-Encoding and Content-Encoding, as attackers may use compression techniques to hide their malicious code.

To accurately target the attacks, add corresponding filters in Advanced Applications > Custom Rule and set the action to Period Block.

For more information, see Custom Rule.

STEP 3: Blocking bots

  • Some DDoS attacks come from known bots. Enable the following categories in Bot Mitigation > Known Bots and set the action to Period Block. For more information, see Known Bots.

  • Bot Mitigation > ML Based Bot Detection

Enable Machine Learning Based Bot Detection. This complements existing signature and threshold-based rules to detect sophisticated bots that can sometimes go undetected.For more information, see ML Based Bot Detection.

How to block the ongoing DDoS attack

To identify the characteristics of HTTP requests in a DDoS attack and add security rules to defend against it, the following methods can be used to analyze the attack and set up rules to block it:

STEP 1: Limiting the frequency and blocking source IP addresses

Check the server's HTTP access logs to examine the frequency and source IP address of requests. Attackers often flood the server with a large number of fake requests, so it is possible to identify malicious requests based on their frequency and source IP address.

The following rules can be set on FortiWeb Cloud to limit the frequency and block the source IPs:

  • DDoS Prevention

    Set up rules to limit the frequency of HTTP requests and TCP connections (e.g., set the limit to 50).

    For more information, see DDoS prevention

  • Access Rules > IP Protection

  1. Enable IP Reputation to block client access based on up-to-date threat intelligence.
  2. Select the countries of origin for the attacks.
  3. Add the source IP addresses of the attacks in the IP List.
    Please note that source IP blocking can also be set in Advanced Applications > Custom Rule.

For more information, see IP Protection.

STEP 2: Blocking requests based on user-agent, parameters, HTTP headers, etc.

  • Analyze the user-agent field in the HTTP requests as attackers often use custom user-agents to hide their identity. Identify specific user-agents that are likely malicious.

  • Check the parameters in the HTTP requests as attackers may use specific parameters to try to bypass security measures (e.g., look for common attack parameters like 'wp-admin').

  • Use an HTTP header analyzer to examine the HTTP request headers in the attack, such as Accept-Encoding and Content-Encoding, as attackers may use compression techniques to hide their malicious code.

To accurately target the attacks, add corresponding filters in Advanced Applications > Custom Rule and set the action to Period Block.

For more information, see Custom Rule.

STEP 3: Blocking bots

  • Some DDoS attacks come from known bots. Enable the following categories in Bot Mitigation > Known Bots and set the action to Period Block. For more information, see Known Bots.

  • Bot Mitigation > ML Based Bot Detection

Enable Machine Learning Based Bot Detection. This complements existing signature and threshold-based rules to detect sophisticated bots that can sometimes go undetected.For more information, see ML Based Bot Detection.