Unlock Exclusive Benefits
Join Our Community Today!
Join our community and post in the forum to earn your exclusive Autumn 2024 badge! Become a member today!
LOGIN/REGISTER
CONTINUE AS A GUEST
- Forums
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiBridge
- FortiAuthenticator
- FortiCache
- FortiCarrier
- FortiConnect
- FortiCASB
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDB
- FortiDDoS
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiHypervisor
- FortiGuard
- FortiInsight
- FortiIsolator
- FortiMail
- FortiMonitor
- FortiManager
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPhish
- FortiPortal
- FortiProxy
- FortiRecorder
- FortiRecon
- FortiSandbox
- FortiScan
- FortiSASE
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiWAN
- FortiVoice
- FortiWeb
- FortiWebCloud
- Lacework
- RMA Information and Announcements
- Wireless Controller
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- RE: how to stop dos attacks to the WAN interface
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
how to stop dos attacks to the WAN interface
I know this is a broad question, but what are the best practices that can be done to stop attacks to the fortigate' s WAN interface.
example is we have a DNS Server with virtual IP inside the LAN network.
few days ago, the dns server crashed because of a, we believed to be an attack.
The wan interface, showed huge amount of traffic before the DNS (with VIP)went down.
Right now on the logs, there are a lot of public ip addresses trying to access the WAN interface through different kind of ports tcp/58512, 58512/udp, domain name server, etc.
although the attaks are blocked, we are just worrying that this would cause high cpu utilization causing the fortigate to crash.
any ideas? thanks.
Nominate a Forum Post for Knowledge Article Creation
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
6 REPLIES 6
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Put a device in front of the FGT that drops the packets. That way the Fortigate will be protected and won' t have to use resources to filter out roque packets.
If the packet hits the FGT then not much you can do, it has to deal with it which costs local resources.
FortiDDoS actually can do a really good job of protecting your network from these kind of attacks.
Talk to the local Fortinet sales team to loan one for a few weeks for POC.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
whew. just as i expected. its pretty much no more chance of adding configurations to the fortigate regarding this attacks.
I just thought there could be added configs that can be used for these attacks. like, best practices, most secured configuration, etc.
we don' t have any more devices that can be put in front of the fortigate, aaand there' s a limitation in budget even if we are aware of the fortiDDOS.
thanks sir.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
You can configure DDOS on your fortigate (not on all model). You have to do that in CLI on small device, or you have a menu in the webui on " big" model.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Your wasting your time if it' s an pure volumetric DDoS attack under the definition of the wording DDoS You need to filter/inspect and drop traffic way ahead of your firewall. Nothing you can ever do on the FGT will drop traffic if it' s a volumetric. The UDP have already did damage by flooding your WAN uplinks.
Even if you successfully prevent the traffic from entering the DNS-server, you still have the traffic wasting your WAN bandwdith and resources locally on the firewall.
What I would do is to run some packet captures to see what type of dns.attack if any;
is it a " A" qry flood
Are they asking for recursion
Are they asking for a NXDOMAIN ( yeap I have a few russian sources that' s being blocked for 1 year now that things I' m Authoritive for xxxxx.com )
Are they listed as safe-sources for recursion ( look at the src address , drop anything that rfc1918, test-net, and not part of your range if your doing recursion )
do you have HUGH TXT response coming at you ( class DDoS volumertric flood btw )
how many querys per/sec do see
if your running bind9 what dos your dns-stats show ( you can use rndc or dump these )
/I]
I can on and on on how you look for other signs such as match TTL and query-id are being repeated and/or ephemeral ports are being increase but the ttl the same or the sources are randomized
Next go over your DNS server security functions with a fine tooth comb.
ensure EDNS is good
query/response throttle if that option is available
ACL controls for AXFR and Recursion lookup for sources your expect and trust
etc.....
If all check outs and you still think your dns-server is being hit, consult with a DDoS provider.
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
But yes, there is more you can do to relieve your FGT. You can see in your logs that the originating source is often the same address. Create an interface-policy (in the CLI only!) to filter on that source address. I would even expand that to whole subnets and/or countries. Interface policies are effective way before other FGT features like routing, regular policies or UTM. They are meant to help in exactly your situation. A real DDoS attack cannot be stopped this way, all of what emnoc posted is the bitter truth. But you can protect your network and the ressources of your FGT with simple configuration. Besides, funny that interface policy is coming up twice in the last days. It' s rarely used and even more rarely asked for on the forums. See https://forum.fortinet.com/FindPost/113610
Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
To a certain degree you can rate limit access using a DoS sensor (https://forum.fortinet.com/FindPost/111099). Alternatively, an IPS sensor to track some IPs, but this consumes more resources. Maybe you should also check if your server is acting as an open resolver: http://openresolverproject.org/
Announcements
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
Related Posts
- How may one know which DNS... 445 Views
- What FortiOS Event Logs should i... 857 Views
- FortiADC disconnected interfaces in vmware 723 Views
- FortiGate cheatsheet FortiOS 7.4 2141 Views
- Fortigate 60F - VLAN interface as... 456 Views
Labels
-
FortiGate
8,080 -
FortiClient
1,622 -
5.2
801 -
FortiManager
682 -
5.4
639 -
FortiAnalyzer
518 -
FortiAP
427 -
FortiSwitch
426 -
6.0
416 -
FortiClient EMS
365 -
5.6
362 -
FortiMail
301 -
6.2
251 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
189 -
SSL-VPN
178 -
FortiNAC
163 -
IPsec
154 -
6.4
128 -
FortiGuard
125 -
FortiGateCloud
98 -
FortiSIEM
94 -
FortiCloud Products
94 -
SD-WAN
89 -
FortiToken
86 -
Customer Service
74 -
Wireless Controller
74 -
FortiAuthenticator
70 -
4.0MR3
64 -
Firewall policy
58 -
FortiProxy
53 -
FortiEDR
50 -
Fortivoice
49 -
FortiADC
49 -
FortiExtender
43 -
VLAN
42 -
FortiDNS
41 -
High Availability
41 -
FortiSandbox
39 -
ZTNA
37 -
FortiGate v5.4
35 -
Routing
35 -
LDAP
34 -
FortiSwitch v6.4
33 -
DNS
33 -
BGP
32 -
SAML
31 -
Certificate
30 -
Interface
29 -
SSO
27 -
NAT
27 -
FortiConnect
26 -
FortiConverter
25 -
Authentication
25 -
FortiWAN
24 -
RADIUS
24 -
FortiLink
24 -
FortiGate v5.2
23 -
VDOM
23 -
Application control
21 -
Web profile
21 -
Virtual IP
20 -
FortiSwitch v6.2
18 -
FortiPortal
18 -
Fortigate Cloud
18 -
Logging
18 -
Traffic shaping
17 -
FortiMonitor
16 -
FortiPAM
16 -
FortiDDoS
15 -
FortiGate v5.0
14 -
SSL SSH inspection
14 -
OSPF
13 -
FortiCASB
12 -
SSID
12 -
Admin
12 -
IP address management - IPAM
12 -
FortiManager v5.0
11 -
Automation
11 -
Static route
11 -
WAN optimization
11 -
Web application firewall profile
11 -
FortiSOAR
10 -
FortiRecorder
10 -
SNMP
10 -
4.0MR2
9 -
FortiGate v4.0 MR3
9 -
FortiWeb v5.0
9 -
FortiAP profile
9 -
System settings
9 -
FortiManager v4.0
8 -
FortiBridge
8 -
RMA Information and Announcements
8 -
IPS signature
8 -
Proxy policy
8 -
4.0
7 -
FortiAnalyzer v5.0
7 -
Security profile
7 -
Traffic shaping policy
7 -
Port policy
7 -
FortiCache
6 -
DNS filter
6 -
trunk
6 -
Packet capture
6 -
Intrusion prevention
6 -
FortiCarrier
5 -
FortiToken Cloud
5 -
FortiTester
5 -
Users
5 -
Fabric connector
5 -
Fortinet Engage Partner Program
5 -
3.6
4 -
FortiDeceptor
4 -
FortiScan
4 -
FortiDirector
4 -
Internet service database
4 -
Antivirus profile
4 -
Traffic shaping profile
4 -
Application signature
4 -
DLP sensor
4 -
Email filter profile
4 -
Netflow
4 -
Web rating
4 -
FortiDB
3 -
FortiHypervisor
3 -
Explicit proxy
3 -
NAC policy
3 -
DLP Dictionary
3 -
DLP profile
3 -
DoS policy
3 -
Replacement messages
3 -
VoIP profile
3 -
Multicast routing
3 -
FortiInsight
2 -
FortiAI
2 -
API
2 -
FortiNDR
2 -
Authentication rule and scheme
2 -
Protocol option
2 -
Schedule
2 -
Service
2 -
Zone
2 -
Cloud Management Security
2 -
4.0MR1
1 -
FortiManager-VM
1 -
FortiCWP
1 -
Kerberos
1 -
Subscription Renewal Policy
1 -
Video Filter
1 -
TACACS
1 -
SDN connector
1 -
Multicast policy
1
Top Kudoed Authors
| User | Count |
|---|---|
| 1517 | |
| 1013 | |
| 749 | |
| 443 | |
| 209 |
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.