how to stop dos attacks to the WAN interface

Forum|Forum|11 years ago
September 11, 2014
6 replies
21345 views

I know this is a broad question, but what are the best practices that can be done to stop attacks to the fortigate' s WAN interface. example is we have a DNS Server with virtual IP inside the LAN network. few days ago, the dns server crashed because of a, we believed to be an attack. The wan interface, showed huge amount of traffic before the DNS (with VIP)went down. Right now on the logs, there are a lot of public ip addresses trying to access the WAN interface through different kind of ports tcp/58512, 58512/udp, domain name server, etc. although the attaks are blocked, we are just worrying that this would cause high cpu utilization causing the fortigate to crash. any ideas? thanks.

Lj23907.jpg

Istvan_Takacs_FTNT

Staff

Put a device in front of the FGT that drops the packets. That way the Fortigate will be protected and won' t have to use resources to filter out roque packets. If the packet hits the FGT then not much you can do, it has to deal with it which costs local resources. FortiDDoS actually can do a really good job of protecting your network from these kind of attacks. Talk to the local Fortinet sales team to loan one for a few weeks for POC.

Dyop_GeopAuthor

New Member

whew. just as i expected. its pretty much no more chance of adding configurations to the fortigate regarding this attacks. I just thought there could be added configs that can be used for these attacks. like, best practices, most secured configuration, etc. we don' t have any more devices that can be put in front of the fortigate, aaand there' s a limitation in budget even if we are aware of the fortiDDOS. thanks sir.

hklb

Visitor III

Hello, You can configure DDOS on your fortigate (not on all model). You have to do that in CLI on small device, or you have a menu in the webui on " big" model.

emnoc

New Member

Your wasting your time if it' s an pure volumetric DDoS attack under the definition of the wording DDoS You need to filter/inspect and drop traffic way ahead of your firewall. Nothing you can ever do on the FGT will drop traffic if it' s a volumetric. The UDP have already did damage by flooding your WAN uplinks. Even if you successfully prevent the traffic from entering the DNS-server, you still have the traffic wasting your WAN bandwdith and resources locally on the firewall. What I would do is to run some packet captures to see what type of dns.attack if any; is it a " A" qry flood Are they asking for recursion Are they asking for a NXDOMAIN ( yeap I have a few russian sources that' s being blocked for 1 year now that things I' m Authoritive for xxxxx.com ) Are they listed as safe-sources for recursion ( look at the src address , drop anything that rfc1918, test-net, and not part of your range if your doing recursion ) do you have HUGH TXT response coming at you ( class DDoS volumertric flood btw ) how many querys per/sec do see if your running bind9 what dos your dns-stats show ( you can use rndc or dump these ) /I] I can on and on on how you look for other signs such as match TTL and query-id are being repeated and/or ephemeral ports are being increase but the ttl the same or the sources are randomized Next go over your DNS server security functions with a fine tooth comb. ensure EDNS is good query/response throttle if that option is available ACL controls for AXFR and Recursion lookup for sources your expect and trust etc..... If all check outs and you still think your dns-server is being hit, consult with a DDoS provider.

ede_pfau

SuperUser

But yes, there is more you can do to relieve your FGT. You can see in your logs that the originating source is often the same address. Create an interface-policy (in the CLI only!) to filter on that source address. I would even expand that to whole subnets and/or countries. Interface policies are effective way before other FGT features like routing, regular policies or UTM. They are meant to help in exactly your situation. A real DDoS attack cannot be stopped this way, all of what emnoc posted is the bitter truth. But you can protect your network and the ressources of your FGT with simple configuration. Besides, funny that interface policy is coming up twice in the last days. It' s rarely used and even more rarely asked for on the forums. See https://forum.fortinet.com/FindPost/113610

netmin

New Member

To a certain degree you can rate limit access using a DoS sensor (https://forum.fortinet.com/FindPost/111099). Alternatively, an IPS sensor to track some IPs, but this consumes more resources. Maybe you should also check if your server is acting as an open resolver: http://openresolverproject.org/

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded