Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
condor
New Contributor

Created on ‎06-26-2017 09:35 AM

Cannot block DoS Attack (tcp_port_scan, tcp_syn_flood, etc... )

 

  Hi all, with FortiIOS5.2 in Transparent Mode i want to block:  

[ul]
  • http://fortiguard.com/encyclopedia/ips/100663398
  • [link]http://fortiguard.com/encyclopedia/ips/100663396[/link]
  • All Avaiable[/ul]

    So, i make this DoS Policy: src: All dst: All Service: All

     

    But when I try with nmap the traffic pass through, here are a few examples of logging:

     

    "date=2017-06-23 time=17:44:41 devname=FGTIZ devid=FGT3... logid=0720018432 type=anomaly subtype=anomaly level=alert vd="root" severity=critical srcip=1.1.1.1 dstip=2.2.2.2 srcintf="port5" sessionid=0 action=clear_session proto=6 service=tcp/2820 count=1899 attack="tcp_syn_flood" srcport=65030 dstport=1035 attackid=100663396 policyid=1 ref="http://www.fortinet.com/ids/VID100663396" msg="anomaly: tcp_syn_flood, 25 > threshold 10, repeats 1899 times" crscore=50 crlevel=critical"

     

    [size="2"]"date=2017-06-23 time=17:27:48 devname=FGTIZ devid=FGT3... logid=0000000013 type=traffic subtype=forward level=notice vd=root srcip=1.1.1.1 srcport=41999 srcintf="port5" dstip=2.2.2.2 dstport=1097 dstintf="port2" poluuid=4d367a58-4fa3-51e7-a2a2-e380cea7d636 sessionid=45815004 proto=6 action=timeout policyid=1 dstcountry="Reserved" srccountry="Reserved" trandisp=noop service="tcp/1097" duration=10 sentbyte=44 rcvdbyte=0 sentpkt=1 rcvdpkt=0 appcat="unscanned" crscore=5 craction=262144 crlevel=low"[/size]

     

    What i doing wrong?!

    Thanks

    • Labels:
    6932
    0 Kudos
    2 REPLIES 2
    wterry
    New Contributor

    Created on ‎01-08-2018 09:58 AM

    I believe that it's working correctly, the action "action=clear_session" and "tcp_syn_flood, 25 > threshold 10, repeats 1899 times" indicates that once the threshold was reached the traffic was blocked.

    1772
    0 Kudos
    Deepakkhw
    New Contributor III

    Created on ‎01-30-2018 12:41 AM

    NMAP scanning is not blocked under the DDOS. DDOS will work if your TCP or UDP session will reach a certain limit as TCP_SRS_Session 5000 then it will activate and drop all new sessions until old session will end or timeout. 

     

    NMAP scanning will block by IPS. Please configure IPS and update its signature database. 

     

    Regards,

    Deepak Kumar 

    1772
    0 Kudos
    Labels
    Top Kudoed Authors
    View all
    Broad. Integrated. Automated.

    The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

    Social Media
    Security Research
    Company
    News & Articles
    Contact Us

    Copyright 2024 Fortinet, Inc. All Rights Reserved.