We are getting a syn flood attack on POP3 port. I have turned on DOS and limited the Threshold to 500 on this port otherwise it will block. Also, i have limited the connection ip_src_session and ip_dst_session to 500. However, I am still seeing a lot of connections through netstat on my e-mail server doing a syn flood attack on POP3 and I am not seeing anything indicating blocks in my logs. First, How can I see what I have done in logs so I can monitor my effectiveness on rules in the firewall. Second, what other ways can I block this type of attack? I do want to mention, I have a fortimail appliance that I route smtp through but not POP3 so this might be a better option also. I appreciate the feedback.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Did you enable syn-flood? what is the threshold set if you have enabled it?
I actually set it to 10 and it seems to be working as our e-mail server is not having problems anymore. However, I am still seeing the connections. Is there anyway to limit the connections on on the POP3 port?
The Fortimail doesn't look at/deal with POP3, unless it's in Server mode. So sending your POP3 traffic that way is pointless.
It only looks at SMTP/SMTPS.
You may have some options for restricting connections on your server. Check the settings/options that are available to you there.. Otherwise you're options for limited traffic are through the DOS Policies on the FortiGate (with the DoS anomalies).
You can setup a DoS policy that only applies to pop3 (tcp port 110) and then setup very strict source rules, since you know it will only apply to the POP3 traffic and not interfere with other traffic.
You may want to have the DoS policy apply to POP3S as well (tcp port 995) just in case.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1633 | |
1063 | |
751 | |
443 | |
210 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.