So im 99.9% positive we had a DDOS attack today. I Think this because the network utilization graph shot from 5mbps to 5gbps and stayed there for probably 5 or so minutes. By the time I figured out that was what had happened it had almost ended. I am in K12 so sometimes Kids hire services to do this. From what I've seen usually the Free ones don't have the capabilities to fill a 5gb circuit. Any truth to this? Not that it matters more just curious. Second Question the fortigate CPUs shot to a 100% so it took down our internal network. This was caused by the miglogd process which im assuming was because it was bombarded by so many packets from so many sources? After it was over I tried to look at the log and couldnt really find much nor was it respnding well most likely because of the magnitude of logs? Is there certain things to look for? Certain things to setup for logging that would give you more insight? I know alot of that doesn't matter because the attack is distributed just curious. The kids are remote so probably little chance of figuring out who started it. Mitigation services are far to expensive from what i've seen to be feesible. I've only seen 2 of these in 15 years and the last one was when we had a school on a cable modem. Just more asking questions for my own skills and knowledge.
Hello there:
You can try configuring a DOS policy . It generates a log when there is an attack . Few KBs are here:
https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-configure-IPv4-DOS-policy/ta-p/1896...
https://community.fortinet.com/t5/FortiGate/Technical-Tip-Denial-of-Service-DoS-anomalies-explained/...
Thank you,
Hope
FortiGate can recognize and stop DoS attacks but cannot do anything against DDoS.
DDoS are sophisticated attacks and they need sophisticated solution to recognize and stop them.
As per my knowledge this can't be treated at your level, but it needs to be handled mainly at ISP level.
You can recognize them in your FGT logs when you see very high frequency thousands of incoming packets from random hundreds sources. These sources are infected hosts controlled by bad actor, and the owners of these hosts don't even know they are infected.
You'd be surprised at the bandwidth DDOS services will provide, haha. I don't think 5Gbps is out of the question.
Regarding the CPU issue, I would have a look at any WAN -> LAN policies and see if there is logs enabled and any excessive usage on them. Specifically VIPs or anything similar which would open a port. Perhaps you were logging the DDOS traffic.
In the future, you can configure DoS policies which will help depending on what type of DDOS attack was performed. The majority of the blocking has to be done at an ISP level as the FortiGate can't really control what hits it from the ISP infrastructure. If you notice this happening regularly, I would strongly recommend opening a ticket with the ISP and seeing what they can do.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1740 | |
1108 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.