DDoS prevention

FortiWeb Cloud DDoS prevention is a service that protects you against DDoS high-volume attacks.

A Distributed Denial of Service attack (DDoS attack) is a cyber attack in which an attacker attempts to overwhelm a web server/site, making its resources unavailable to its intended users. Most DDoS attacks use automated tools (not browsers) on one or more hosts to generate the harmful flood of requests to a web server.

With the public cloud infrastructure affront providing the first layer of defense against volumetric attacks, FortiWeb Cloud enhances DDoS protection by focusing on sophisticated attacks targeting the application layer, such as low and slow attacks. Together they provide protection for the full layer 3-7 DDoS attack types. Additionally, Fortinet operations team also adds network and application protection customizations in real-time to help protect against the most sophisticated DDoS threats.

To configure DDoS prevention , you must have already enabled this module in Add Modules. See How to add or remove a module.

Configuring application-layer DDoS prevention

For some DDoS prevention features, FortiWeb Cloud uses session management to track requests.

1. When FortiWeb Cloud receives the first request from any client, it adds a session cookie to the response from the web server in order to track the session. The client will include the cookie in subsequent requests.
2. If a client sends another request before the session timeout, FortiWeb Cloud examines the session cookie in the request.
   
   • If the cookie does not exist or its value has changed, FortiWeb Cloud drops the request.
   • If the same cookie exists, the request is treated as part of the same session. FortiWeb Cloud increments its count of connections and/or requests from the client. If the rate exceeds the limit, FortiWeb Cloud drops the extra connection or request.
     

You can configure settings below to limit the number of HTTP requests and TCP connections.

HTTP Access Limit	Enable to limit the number of HTTP requests per second from a certain IP.
HTTP Request Limit	Type a rate limit for the maximum number of HTTP requests per second from each source IP address that is a single HTTP client. For example, if loading a web page involves: 1 HTML file request 1 external JavaScript file request 3 image requests The rate limit should be at least 5, but could be some multiple such as 10 or 15 in order to allow 2 or 3 page loads per second from each client. It's recommended to use an initial value of 1000.
Malicious IPs	Enable to limit the number of TCP connections with the same session cookie.
TCP Connection Number Limit	Type the maximum number of TCP connections allowed with a single HTTP client. It's recommended to use an initial value of 100.
HTTP Flood Prevention	Enable to limit the number of HTTP connections with the same session cookie.
HTTP Request Limit	Type the maximum rate of requests per second allowed from a single HTTP client. It's recommended to use an initial value of 500.
Challenge	Real Browser Enforcement—Specifies whether FortiWeb Cloud returns a JavaScript to the client to test whether it is a web browser or automated tool when it meets any of the specified conditions. CAPTCHA Enforcement—Requires the client to successfully fulfill a CAPTCHA request.

Configuring actions

1. Select the action that FortiWeb Cloud takes when it detects a violation of the rule from the top right corner.
   To configure the actions, you must first enable the Advanced Configuration in Global > System Settings > Settings.

   Alert	Accept the request and generate an alert email and/or log message.
   Alert & Deny	Block the request (or reset the connection) and generate an alert email and/or log message.
   Deny(no log)	Block the request (or reset the connection).
   Period Block	Block the current request. Moreover, all the subsequent requests from the same client in the next 10 minutes will also be blocked. The default blocking period is 10 minutes. You can configure this value according to your own needs.