Description
This article provides information on how DDoS logs are generated when a sensor is matched.
Scope
FortiGate.
Solution
The attack logs are generated every 30 seconds after the beginning of the attack or before 30 seconds if the traffic does not last for more than 30 seconds.
The first number xxx in 'xxx > threshold yyy' is the number of packets received in the latest second at the time the log is triggered.
The repeat number aaa in 'repeats aaa times' is how many entries are aggregated i.e. the number of packets that meet the threshold during the period where the last log and the current log were generated.
The following examples illustrate:
Example 1:
The first number xxx in 'xxx > threshold yyy' is the number of packets received in the latest second at the time the log is triggered.
The repeat number aaa in 'repeats aaa times' is how many entries are aggregated i.e. the number of packets that meet the threshold during the period where the last log and the current log were generated.
The following examples illustrate:
- A UDP flood attack generated on port 3000.
- A UDP_flood sensor limited to 1 PPS.
Example 1:
hping3 can be used to generate traffic. For more information, refer to Technical Tip: Mitigating TCP timestamp attacks with FortiSandbox.
The test was made with the following hping command:
hping3 --udp -p 3000 10.129.3.186 --fast -c 3000
Example 2:
The same test was repeated with 2 different IP sources: 10.129.0.25 and 10.129.0.30.
Note that the log entry contains only the last seen @IPsrc, @IPdest, and PortDest.
