| Solution |
In a DoS (Denial of Service) / DDoS (Distributed Denial of Service) attack, the attacker / bad actor overwhelms the network resources thereby preventing legitimate users from accessing network resources such as servers, databases, applications, services, etc.
Symptoms of DoS / DDoS attack on FortiGate could be but are not limited to high CPU/Memory/bandwidth utilization, higher session count than usual, unable to access FortiGate via GUI/SSH/console, SSH/GUI session getting hung, incomplete output after running a command as FortiGate is too busy to handle legitimate traffic, performance issues, etc.
In such scenarios, an HA Failover will not help as well as the sessions are synchronized among devices within an HA Cluster.
To identify the source of the DoS / DDoS attack, the following steps could be helpful:
- Collect the session table output (diagnose sys session list) and identify the traffic pattern. It could be that there are too many DNS sessions or open TCP sessions from a particular source IP. If the IP address is identified, create a DoS policy on Fortigate and define the thresholds to limit the traffic.
As a good practice, it is always recommended to have DoS policies in place with thresholds defined to avoid such attack scenarios.
Technical Tip: How to configure IPv4 DOS policy
- Enable anomaly logging under DoS policies to monitor and observe traffic patterns. Keeping a regular check on normal traffic patterns will help in identifying unusual patterns in a network environment.
Technical Tip: Alert logging for DOS Anomalies
- Monitor and adjust the thresholds under DoS policies based on the network traffic pattern.
DoS policy
If these measures are taken, it will enhance FortiGate's resilience against DoS / DDoS attacks.
|
