FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
This article describes a way to assess if internal devices are generating Middlebox Reflection Attacks using the TCP SYN flag with a GET Payload as a strategy.
However, compromised devices within a network can also be the source of these attacks.
To identify internal devices generating the Middlebox Reflection Attack and using the strategy of SYN packets with a GET payload, run the following CLI command for a few days, connected to FortiGate either via console port or via SSH (make sure to log the output to a file for later review):
diagnose sniffer packet any "tcp[13]==2 and (tcp[((tcp[12:1] & 0xf0) >> 2):4] = 0x47455420)" 6 0 l
The above filter will capture all TCP packets containing the SYN flag only (not SYN/ACK) and containing the GET command on the payload. It will also show the ingress/egress interfaces as well as the source/destination IPs and ports. These logs can then be used to determine the likelihood of a Middlebox Reflection Attack in the network.
