Skip to main content
jmoya
Staff
jmoya
Staff
December 5, 2014

Technical Tip: How to tune DDoS policies

  • December 5, 2014
  • 0 replies
  • 10954 views

Description

 
This article provides some guidelines as to how to tune up DDoS policies to avoid false positives or block extra traffic.
 
Scope
 
FortiGate.


Solution

 

The first thing to understand to apply DDoS policies is that these policies do not rely on stateful properties of the firewall, so a traffic like the following will be handled no matter if it is incoming or outgoing to the FortiGate.

diagnose sniffer packet Vlan_11 'port 80 and tcp[tcpflags] == tcp-syn' 1 25
interfaces=[Vlan_11]
filters=[port 80 and tcp[tcpflags] == tcp-syn]
0.876904 10.95.13.204.24088 -> 10.95.136.204.80: syn 3585436935
0.894848 10.95.4.223.7273 -> 10.95.128.117.80: syn 2436279189
0.947586 10.95.10.90.5871 -> 10.95.132.100.80: syn 1124757321
0.972220 10.95.5.29.26781 -> 10.95.128.217.80: syn 2500978264


Use the DDoS policy with the following recommendations.

To protect servers from DoS attacks from the Internet:

  • Configure only the servers as a destination for the traffic. Use 'Address' objects, not VIPs.
  • Set the services provided in the server e.g., HTTP, HTTPS, SMTP, etc.
  • Configure only the anomalies that will match the services of the server(s). For example, if the server provides SMTP access only, use any combination of the following anomalies:
    • tcp_syn_flood
    • tcp_src_session
    • ip_src_session

  • While selecting the interface in the DoS policy, consider SD-WAN zone could be selected starting from v7.6.1 GA
  • Configure them to a 'normal' usage policy. From a given client, this will be a normal 'x' number of sessions from a single source. For example:

config firewall DoS-policy

    edit 1

        set interface "wan1"

        set srcaddr "all"

        set dstaddr "200.201.202.1"

        set service "SMTP"

            config anomaly

                edit "tcp_src_session"

                    set status enable
                    set action block
                    set quarantine attacker
                    set quarantine-expiry 10
                    set quarantine-log enable
                    set threshold 100
                next
            end
    next
end

 

If the threshold is measured in packets per second, the Block action prevents anomalous traffic from overwhelming the firewall in two ways:

  • continuous (default): block packets once an anomaly is detected, and continue to block packets while the rate is above the threshold.
  • periodical: after an anomaly is detected, allow the configured number of packets per second.


To configure the block action for rate-based anomaly sensors:


config ips global
    set anomaly-mode (continuous | periodical)
end

 

Every service has its characteristics of what is considered 'normal'.

If tcp_dst_session or ip_dst_session are used, this may limit the number of concurrent sessions the server will handle (which is the purpose of Denial of Service).

If the intention is to protect the FortiGate from the effects of a worm in the local network, use the following recommendations:

  • Set local networks as sources (do not use 'all').
  • Use destination as 'all' and service as 'any'
  • Configure the anomalies that the workstations should not process:
    • tcp_syn_flood
    • tcp_dst_session
    • ip_dst_session
    • tcp_port_scan

  • In the case of UDP and some tcp_src anomalies, consider that some of that traffic could be sourced by torrent or Skype software.
 
Related article: 
Technical Tip: How to configure IPv4 DOS policy
Terms & ConditionsAccessibility statement