Technical Tip: TCP port flood triggered due to network speedtest

Symptom:

1. The speedtest result is incomplete or stopped halfway.
2. The speedtest results do not reflect the network bandwidth capability.

Client connects to Speedtest servers using various ports, mostly high-numbered TCP ports(outbound), and in some cases, network speedtest servers like Speedtest.com uses port 8080 for data transfer(inbound); to measure throughput, when standard ports like 80 or 443 are saturated with other traffic. TCP/8080 commonly used as an alternative HTTP port to avoid issues with firewalls or proxy filters.

FortiDDoS monitors and enforces thresholds as per learned traffic statistics. A sudden inbound traffic spike on such a port would result in dropped packets.

Sample of Inbound TCP/8080 traffic Ingress and Egress Max Packet Rate(MPR) when speedtest is performed.

Reproduction:

1. Use iPerf to simulate a network speedtest in a 1Gbps link.
2. Results are degraded with inbound TCP/8080 traffic dropped due to TCP port flood.

Note:

The speedtest TCP behavior that looks suspicious could also be dropped by 'Sequence Validation' and 'Foreign Packet Validation' when enabled in TCP Profile.

Solution:
Increase the threshold to the appropriate Ingress MPR observed in the monitor graph.

Result:
Obtain a positive result with the download throughput test using TCP/8080.

Related documents:

Appendix A: DDoS Attack Log Reference

Technical Tip: FortiDDoS commands to open a new ticket to TAC

Understanding FortiDDoS rate limiting thresholds - FortiDDOS-F handbook