Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Devaldas
New Contributor

Created on ‎11-28-2012 12:30 AM

DOS protection

How to deffend client if attack comming from one source with lots of udp packets ? DOS profile udp_flood will drop all packets good and bad. How to create limit for example that only 100 packets per second would be accepted from one source ?
3932
0 Kudos
7 REPLIES 7
Matthijs
New Contributor II

Created on ‎11-28-2012 02:51 AM

Hi, please do not cross post on different places. I think what you want is not DOS protection but traffic shaping? You can use a per-ip shaper in a firewall policy for UDP traffic. It will drop all packets that exceed the configured maximum.
1502
0 Kudos
Devaldas
New Contributor

Created on ‎11-28-2012 06:05 AM

No ... Im talking about DOS profile and DoS anomalies. Traffic shaping isn' t DOS protection. Because you can send udp flood with small packets and traffic shaping wount help.
1502
0 Kudos
g3rman
New Contributor

Created on ‎11-29-2012 07:27 PM

Devaldas, check out this knowledge base article which describes setting up and enabling DOS protection in detail. Feel free to post again if this doesn' t answer your questions. http://kb.fortinet.com/kb/microsites/search.do?cmd=displayKC&docType=kc&externalId=fortigate-utm-40-mr3pdf&sliceId=&docTypeID=DT_PRODUCTDOCUMENTATION_1_1&dialogID=40440946&stateId=0%200%2040442147
A Real World Fortinet Guide Configuration Examples & Frequently Asked Questions http://firewallguru.blogspot.com
A Real World Fortinet Guide Configuration Examples & Frequently Asked Questions http://firewallguru.blogspot.com
1502
0 Kudos
RafalS
New Contributor
In response to g3rman

Created on ‎01-22-2013 09:23 AM

Hi, Devaldas may have found answers to his questions in the proposed doc but I haven' t found to mine also regarding DoS so I subscribe to this thread and share my doubts for your consideration. Here' s an excerpt from my config: 
 config firewall DoS-policy
     edit 11
         set interface " port3" 
         set srcaddr " INTER_######" 
         set dstaddr " DMZ_GW" 
         set service " PING" 
             config anomaly
                 edit " icmp_flood" 
                     set status enable
                     set log enable
                     set action block
                     set quarantine attacker
                     set quarantine-expiry 259200
                     set quarantine-log enable
                     set threshold 10
                 next
             end
     next
 end
and here' s my probe: 
 E:\>fping dmzgw.polsteam.com -t20 -n15 -b-
 
 Fast pinger version 2.22
 (c) Wouter Dhondt (http://www.kwakkelflap.com)
 
 Pinging ########## [217.153.######] with 32 bytes of data every 20 ms:
 
 Reply[1] from 217.153.######: bytes=32 time=64.5 ms TTL=245
 Reply[2] from 217.153.######: bytes=32 time=63.4 ms TTL=245
 Reply[3] from 217.153.######: bytes=32 time=63.1 ms TTL=245
 Reply[4] from 217.153.######: bytes=32 time=65.6 ms TTL=245
 Reply[5] from 217.153.######: bytes=32 time=63.4 ms TTL=245
 Reply[6] from 217.153.######: bytes=32 time=63.5 ms TTL=245
 Reply[7] from 217.153.######: bytes=32 time=64.4 ms TTL=245
 Reply[8] from 217.153.######: bytes=32 time=63.0 ms TTL=245
 Reply[9] from 217.153.######: bytes=32 time=64.1 ms TTL=245
 Reply[10] from 217.153.######: bytes=32 time=63.2 ms TTL=245
 217.153.######: request timed out
 Reply[12] from 217.153.######: bytes=32 time=62.9 ms TTL=245
 Reply[13] from 217.153.######: bytes=32 time=64.3 ms TTL=245
 Reply[14] from 217.153.######: bytes=32 time=63.6 ms TTL=245
 Reply[15] from 217.153.######: bytes=32 time=63.6 ms TTL=245
 
 Ping statistics for 217.153.######:
         Packets: Sent = 15, Received = 14, Lost = 1 (6% loss)
 Approximate round trip times in milli-seconds:
         Minimum = 62.9 ms, Maximum = 65.6 ms, Average = 63.8 ms
It can be seen that the " icmp_flood" scanner does its job detecting the anomaly. Still I can' t see the quarantine effect with myself being the " attacker" . I' d expect that all echo requests following the one no. 10 remain unresponded and an additional entry feed the Intrusion Protection log. Do you have experience quarantining DoS attackers and can you tell me what I am missing? Thanks, Rafal
FCNSP 4.x running FortiOS 5.0.4 on FG621B A-A HA
FCNSP 4.x running FortiOS 5.0.4 on FG621B A-A HA
1502
0 Kudos
RafalS
New Contributor
In response to RafalS

Created on ‎01-28-2013 02:04 AM

I can' t see the quarantine effect with myself being the " attacker" . I' d expect that all echo requests following the one no. 10 remain unresponded and an additional entry feed the Intrusion Protection log.
Have some progress on this issue. Will share results asap. Meanwhile pls. don' t bother to help. BR, Rafal
FCNSP 4.x running FortiOS 5.0.4 on FG621B A-A HA
FCNSP 4.x running FortiOS 5.0.4 on FG621B A-A HA
1502
0 Kudos
TheJaeene
Contributor
In response to RafalS

Created on ‎01-28-2013 07:06 AM

@RafalS Same problem here witth FortiOS 5.0.1 on a 80C First I thought it´s a problem related to my PPPoE Dialin. But I can also reproduce it on all other Interfaces Regards, Jan
1501
0 Kudos
emnoc
Esteemed Contributor III

Created on ‎01-22-2013 10:09 AM

FWIW If they are udp flood you, nothing you can do at the DoS anomaly can help. Think about this, the udp flood is going to consume your WAN bandwidth b4 it even get' s to the DoS sensor for it to take action. So if you even mention to block it at the fwpolicy+dos-sensors the damage is already done. Also it' s next to impractical to traffic-shape traffic inbound for the same reasons

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
1500
0 Kudos
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.