FortiDDos DDoS Attack Mitigation Guide - Fortinet
FortiDDos DDoS Attack Mitigation Guide - Fortinet
FortiDDos DDoS Attack Mitigation Guide - Fortinet
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
Anti-<strong>DDoS</strong> appliances<br />
Anti-<strong>DDoS</strong> appliances<br />
• Memory resources can be exhausted by filling up various kernel tables that are not<br />
tuned to be sufficiently large. Ensure that you understand various kernel tables.<br />
• Network card is gateway to the packets. Better network card means better handling<br />
of large number of packets. Better network card driver means better performance.<br />
• Choose a vendor such as Intel and model which is proven and a driver that’s<br />
already hardened.<br />
• Use NetFilter/iptables firewall to deny bad packets<br />
• Use Hashlimit module to identify IPs that are consuming resources<br />
• Use ipset module to block-lists of up to IP addresses that can be queried, loaded<br />
and unloaded from user-space.<br />
• Use command :netstat -plan|grep :80 |awk '{print $5}' |cut -d: -f1 |sort |uniq -c |sort<br />
-n to find out if port 80 is being attacked by too many IPs.<br />
• Use modules such as mod_evasive, mod_limitipconn to limit attacks from limited<br />
number of IPs.<br />
• Try mod_qos to improve quality of service.<br />
• Apache has its limits. You can try LiteSpeed.<br />
There are primarily following categories of appliances in the market for <strong>DDoS</strong><br />
mitigation:<br />
Carrier <strong>DDoS</strong> mitigation solutions<br />
• These solutions are useful for global networks and carriers and ISPs.<br />
• They employ IP flow-based and deep packet inspection technologies, and protect<br />
entire networks consisting of multiple routers and switches and services behind<br />
them.<br />
• An example of such solutions is Arbor Networks.<br />
• These solutions are too expensive for individual IDCs, webhosts or web properties.<br />
• These solutions have been designed around early 2000 and therefore are not<br />
keeping up with the current generation of <strong>DDoS</strong> attacks which involve botnets that<br />
mimic legitimate clients.<br />
• These solutions work very well at global level and the residual attacks from such<br />
solutions may be too much for an individual web property which in turn may have to<br />
employ a solution such as 2 below.<br />
Custom logic (FPGA or ASIC) based internet data center (IDC), web<br />
hosting and web property <strong>DDoS</strong> mitigation solutions<br />
• These solutions are useful for large IDCs, large web hosts and large web properties.<br />
• They work to protect one or several Internet links.<br />
• The behavioral solutions are implemented in custom hardware logic and provide<br />
line rate performance for large attacks.<br />
• The Forti<strong>DDoS</strong> device has one such solution.<br />
• These solutions are cost-effective and effective for IDCs, webhosts and web<br />
properties.<br />
Forti<strong>DDoS</strong> <strong>DDoS</strong> <strong>Attack</strong> <strong>Mitigation</strong> <strong>Guide</strong><br />
28-100-167076-20120501 7<br />
http://docs.fortinet.com/ • Feedback