Cannot block DoS Attack (tcp_port_scan, tcp_syn_flood, etc... )

Question

Hi all, with FortiIOS5.2 in Transparent Mode i want to block:

[ul]

http://fortiguard.com/encyclopedia/ips/100663398

[link]http://fortiguard.com/encyclopedia/ips/100663396[/link]

All Avaiable[/ul]

So, i make this DoS Policy: src: All dst: All Service: All

But when I try with nmap the traffic pass through, here are a few examples of logging:

"date=2017-06-23 time=17:44:41 devname=FGTIZ devid=FGT3... logid=0720018432 type=anomaly subtype=anomaly level=alert vd="root" severity=critical srcip=1.1.1.1 dstip=2.2.2.2 srcintf="port5" sessionid=0 action=clear_session proto=6 service=tcp/2820 count=1899 attack="tcp_syn_flood" srcport=65030 dstport=1035 attackid=100663396 policyid=1 ref="http://www.fortinet.com/ids/VID100663396" msg="anomaly: tcp_syn_flood, 25 > threshold 10, repeats 1899 times" crscore=50 crlevel=critical"

[size="2"]"date=2017-06-23 time=17:27:48 devname=FGTIZ devid=FGT3... logid=0000000013 type=traffic subtype=forward level=notice vd=root srcip=1.1.1.1 srcport=41999 srcintf="port5" dstip=2.2.2.2 dstport=1097 dstintf="port2" poluuid=4d367a58-4fa3-51e7-a2a2-e380cea7d636 sessionid=45815004 proto=6 action=timeout policyid=1 dstcountry="Reserved" srccountry="Reserved" trandisp=noop service="tcp/1097" duration=10 sentbyte=44 rcvdbyte=0 sentpkt=1 rcvdpkt=0 appcat="unscanned" crscore=5 craction=262144 crlevel=low"[/size]

What i doing wrong?!

Thanks

wterry · Answer

I believe that it's working correctly, the action "action=clear_session" and "tcp_syn_flood, 25 > threshold 10, repeats 1899 times" indicates that once the threshold was reached the traffic was blocked.

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded