Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
myky_
Staff
Staff

Created on ‎09-06-2024 11:10 AM Edited on ‎09-11-2024 07:27 AM By Moderator

Article Id 339626

Technical Tip: Rate limiting access to the website or application using IPS custom signatures

Description
This article describes how to create and use IPS custom signatures for specific requirements, such as limiting access based on the rate to the specific website or application.
 
Some of that can be done by applying the DoS policy, which gives the flexibility to control and block L3/L4 Anomalies of the OSI model. IPS custom signatures can help to move checks up to L7 of the OSI model.
 
A sample of the traffic would be needed, which can usually be achieved by running a sniffer on the FortiGate, which can then be converted to .pcap file format and analyzed with a network protocol analyzer (Wireshark) so that the signature can be created to match the particular parameters.
 
The example below demonstrates how to create an IPS custom signature to inspect SNI from the user's hello messages, monitor the request rate, and subsequently isolate (quarantine) the source IP if the rate limit is exceeded.
Scope FortiGate.
Solution
Topology:

flow.gif
  1. Get a traffic sample by running a sniffer on the FortiGate or the user machine using the Wireshark tool.

wireshark_sample.png
 
  1. Create an IPS signature. Go to Security Profiles -> IPS Signatures -> Create New:
 
ips_custom.png
CLI options:
 
config ips custom
    edit "SSL.SNI.Custom"
        set signature "F-SBID( --attack_id 3896; --name \"SSL.SNI.Custom\"; --protocol tcp; --service SSL; --flow from_client; --pattern \"www.fortiguard.com\"; --no_case; --context HOST;)"
        set comment ''
    next
end

  1. Create an IPS sensor. Go to Security Profiles -> Intrusion Prevention -> Create New. Inside, go to IPS Signatures and Filters -> Create New:
 
ips_sensor.png

CLI options:
 
config ips sensor
    edit "SSL.SNI.Sensor"
        config entries
            edit 1
                set rule 3896
                set status enable
                set action block
                set rate-count 2
                set rate-duration 30
                set rate-mode periodical
                set rate-track src-ip
                set quarantine attacker
                set quarantine-expiry 1m
           next 
end

The custom signature and sensor are configured as follows:

The SNI match pattern is www.fortiguard.com. If two (2) requests are made within thirty (30) seconds from the same source IP (set rate-track src-ip), it will be blocked and quarantined for one (1) minute.

Testing:
The user made two (2) requests to www.fortiguard.com within thirty (30) seconds. When the second request was sent, the firewall's IPS detected that the rate limit had been reached. As a result, FortiGate dropped the request and quarantined it for one (1) minute.

client_test.png

 

IPS_logs.png


If the traffic was not encrypted with SSL (more payloads are visible in clear text), more matching parameters can be applied when creating the customer signature, providing more flexibility; otherwise, SSL Deep Inspection is needed. 

When the firewall performs SSL/TLS offloading or SSL Deep Inspection, signatures can be utilized to monitor admin username/password brute-force attacks.

Related documents:
386
0 Kudos
Submit Article Idea
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.