Help
Cybersecurity Forum

This forum is for all security enthusiasts to discuss Fortinet's latest & evolving technologies and to connect & network with peers in the cybersecurity hemisphere. Share and learn on a broad range of topics like best practices, use cases, integrations and more. For support specific questions/resources, please visit the Support Forum or the Knowledge Base.

tato
New Contributor

Created on ‎12-07-2015 09:43 PM

How to traceback DOS attack

Hi,

Is there anyone have experienced to block dos attack and trace back the source IP.

Seem our PC is infected by somekind of MalWare. Fortigate traffic history widget shows us a burst traffic coming from our LAN to WAN1 and WAN2. The traffic burst 10Gbps in sort of time, randomly. (pls see screenshot attached)

I’m trying to block this traffic using Fortigate.

 

I'm aware about fortigate appControl, AV, and DOS capability.

AppControl => I'm blocking Bot and proxy category.

AV => I'm blocking connection to Botnet and C&C server.

DOS => I'm blocking UDP and TCP flood. Both threshold are 500.

With all that setting, the problem still occurs.

 

I'm not sure what kind of MalWare that infected my network.

I really appreciate if someone would share their experience and help me out with this issue.

 

Thanks

Regards//tato

Preview file
136 KB
Labels:
313
0 Kudos
3 REPLIES 3
PatrBeav
New Contributor

Created on ‎12-30-2015 10:41 AM

Yes unfortunately I have a lot of DDOS handling experience. I would first recommend using something like prtg or scrutinizer setup for Sflow from the fortinet firewall. Setup the Sflow on the interface closed to what you want to track. for Source you would setup sflow on the wanX interface (if the traffic is truly sourced by someone on the internet) or via the portX interface is you think you have Malware in the local network that may be initiating this problem. In the second example its not really a DOS attack as it is just botnet attempts and standard noisy malware! I would recommend getting this setup then for example with prtg you can see the top talkers in 15minute segements and top destinations and top connections. This will give you the true sources of you network pain! I have this setup in multiple data centers and not only on the fortinet firewalls but anywhere there is an aggregate connection, like the distrubution layer on most netorks or the edge network connection where it comes into the core. Most modern routers and switches support either netflow or sflow. In some cases you can just use a packet capture sensor as well but its much more load on the server calculating the traffic into a graph. 

Once the source of the issue is found, I have found that you can either null route that source ip to null on your routing gear or on the firewall. I typically do this outside the firewall so it doesnt even get to the firewall. You can also call your ISP and sometimes they can block that IP for you. I have even done some bgp routing with tunnels to redirect the traffic if you know the destination that they are trying to DOS and if its one that you can live without as you can usually also black-hole the destination if you have that agreement with you ISP.

Hope this info helps,

305
0 Kudos
tato
New Contributor
In response to PatrBeav

Created on ‎01-14-2016 09:44 PM

Hi Patrick,

Thank you for your suggestion. I really appreciate it.

Regards//tato

305
0 Kudos
DeepKuma2
Contributor
In response to PatrBeav

Created on ‎06-30-2018 09:29 PM


Thanks, Dear,

This is a good article. 

Regards,

Deepak Kumar

NSE4

Deepak Kumar First Option General Trading LLC Dubai
Deepak Kumar First Option General Trading LLC Dubai
305
0 Kudos
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.