Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
condor
New Contributor

Cannot block DoS Attack (tcp_port_scan, tcp_syn_flood, etc... )

 

  Hi all, with FortiIOS5.2 in Transparent Mode i want to block:  

[ul]
  • http://fortiguard.com/encyclopedia/ips/100663398
  • [link]http://fortiguard.com/encyclopedia/ips/100663396[/link]
  • All Avaiable[/ul]

    So, i make this DoS Policy: src: All dst: All Service: All

     

    But when I try with nmap the traffic pass through, here are a few examples of logging:

     

    "date=2017-06-23 time=17:44:41 devname=FGTIZ devid=FGT3... logid=0720018432 type=anomaly subtype=anomaly level=alert vd="root" severity=critical srcip=1.1.1.1 dstip=2.2.2.2 srcintf="port5" sessionid=0 action=clear_session proto=6 service=tcp/2820 count=1899 attack="tcp_syn_flood" srcport=65030 dstport=1035 attackid=100663396 policyid=1 ref="http://www.fortinet.com/ids/VID100663396" msg="anomaly: tcp_syn_flood, 25 > threshold 10, repeats 1899 times" crscore=50 crlevel=critical"

     

    [size="2"]"date=2017-06-23 time=17:27:48 devname=FGTIZ devid=FGT3... logid=0000000013 type=traffic subtype=forward level=notice vd=root srcip=1.1.1.1 srcport=41999 srcintf="port5" dstip=2.2.2.2 dstport=1097 dstintf="port2" poluuid=4d367a58-4fa3-51e7-a2a2-e380cea7d636 sessionid=45815004 proto=6 action=timeout policyid=1 dstcountry="Reserved" srccountry="Reserved" trandisp=noop service="tcp/1097" duration=10 sentbyte=44 rcvdbyte=0 sentpkt=1 rcvdpkt=0 appcat="unscanned" crscore=5 craction=262144 crlevel=low"[/size]

     

    What i doing wrong?!

    Thanks

  • 2 REPLIES 2
    wterry
    New Contributor

    I believe that it's working correctly, the action "action=clear_session" and "tcp_syn_flood, 25 > threshold 10, repeats 1899 times" indicates that once the threshold was reached the traffic was blocked.

    Deepakkhw
    New Contributor III

    NMAP scanning is not blocked under the DDOS. DDOS will work if your TCP or UDP session will reach a certain limit as TCP_SRS_Session 5000 then it will activate and drop all new sessions until old session will end or timeout. 

     

    NMAP scanning will block by IPS. Please configure IPS and update its signature database. 

     

    Regards,

    Deepak Kumar 

    Announcements

    Select Forum Responses to become Knowledge Articles!

    Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

    Labels
    Top Kudoed Authors