This article provides some guidelines as to how to tune up DDoS policies to avoid false positives or block extra traffic. Solution
The first thing to understand to apply DDoS policies is that these policies do not rely on stateful properties of the firewall, so a traffic like the following will be handled no matter if it is incoming or outgoing to the FortiGate.
# di sniff pack Vlan_11 'port 80 and tcp[tcpflags] == tcp-syn' 1 25
filters=[port 80 and tcp[tcpflags] == tcp-syn]
0.876904 10.95.13.204.24088 -> 10.95.136.204.80: syn 3585436935
0.894848 10.95.4.223.7273 -> 10.95.128.117.80: syn 2436279189
0.947586 10.95.10.90.5871 -> 10.95.132.100.80: syn 1124757321
0.972220 10.95.5.29.26781 -> 10.95.128.217.80: syn 2500978264
With this in mind, you must use the DDoS policy with the following recommendations:
If you want to protect your own servers from DoS attacks from the Internet:
- Be sure to configure only your own servers as destination of the traffic. You have to use 'Address' objects, not VIPs.
- Set the services you provide in your server. This is HTTP, HTTPS, SMTP, etc.
- Configure only the anomalies which will match the services of your server(s). For example, if your server provides SMTP access only, use the following anomalies:
+ tcp_syn_flood, or
+ tcp_src_session, or
And configure them to a 'normal' usage policy. This is, from certain client, it will be normal 'x' number of sessions from a single source. For example:
config firewall DoS-policy
set interface "wan1"
set srcaddr "all"
set dstaddr "184.108.40.206"
set service "SMTP"
set status enable
set action block
set quarantine attacker
set quarantine-expiry 10
set quarantine-log enable
set threshold 100
Keep in mind that every service has its own characteristics of what is considered 'normal'.
If you use (in this case) tcp_dst_session or ip_dst_session, you would be limiting the number of concurrent sessions your server will handle (purpose of Denial of Service).
If you want to protect your FortiGate from the effects of a worm in your local network, you could use the following recommendations:
- Set your local networks as sources (do not use 'all')
- You could use destination as 'all' and service 'any'
- Configure the anomalies your workstations shouldn't do:
In the case of udp and some tcp_src anomalies, you have to consider that some of that traffic could be sourced by torrent or Skype software.