| Description | This article describes the reason why FortiDDOS is not showing up Source IP in most of the FortiDDOS attack logs. |
| Scope |
FortiDDoS B/E series – 4.x, 5.x version. FortiDDoS F series – 6.x version. |
| Solution |
By design, FortiDDoS does not record the source IP for all the FortiDDOS attacks, because IP for most of the FortiDDOS attacks are the FortiDDOS portion of it (Distributed) in most cases originates from many sources, usually spoofed addresses. Due to this, the FortiDDoS ignores the source IP and blocks based on service due to the threshold being exceeded for the parameters except for the one which tracks the source IP address: most-active-source, concurrent-connections-per-source, SYN per Source, DNS Packet Track per Source and HTTP Methods per Source.
To explain this in more detail, let’s take a look at the two FortiDDOS attack logs. These screenshots are taken from FortiDDOS -F series GUI.
Screenshot1 - TCP port flood attack log: FortiDDOS generates this attack log when the effective rate limit for a port (in this case TCP port 50000) is defined in the Service Protection Policy -> Thresholds -> TCP Ports has been reached. These packets could be generated by one or many sources, but the TCP port parameter does not track the source of these packets (as it does not need to), so the source IP address is not recorded in the logs.
Screenshot2- Source Flood attack log: FortiDDOS generates this FortiDDOS attack log when a single source sends an excessive number of IP packets defined in the Service Protection Policy -> Thresholds -> Scalars -> most-active-source. As the name of this parameter suggests, it keeps track of the source in order to find out whether the number of packets from that source exceeds the threshold. When this parameter threshold is exceeded FortiDDOS generates a FortiDDOS attack log with source IP recorded in it.
Note. In the majority of legitimate attacks spoofed or invalid addresses are used, so there is no need to offer any forensic value at all even if is found in the FortiDDOS attack logs.
Since 2016 the Mirai botnet code or one of its more than 20 derivatives has changed the FortiDDOS landscape. A small Mirai botnet can generate 500,000 random, unique, spoofed IP addresses PER SECOND, randomizing from the entire IPv4 address space. This is done to hide the real IP addresses of devices sending attack traffic. These Source IPs have no forensic value, and cannot be ACLed or geolocated and, with a 5-minute attack possibly producing 15 million Source IPs, almost no one would be able to manage any list of Sources.
Even some per-Source floods are almost always displaying a spoofed Source IP. SYN-per-Source floods are becoming common. The intent of these attacks is to create reflected SYN-ACK floods back to the 'Source' of the SYNs. Thus the Source IP is spoofed to be that of the target of the resulting SYN-ACK flood.
Similarly, DNS Queries-per-Source floods on DNS servers are usually intended to create DNS Amplified Response floods back to that target Source IP. |
