FortiDDos DDoS Attack Mitigation Guide - Fortinet
FortiDDos DDoS Attack Mitigation Guide - Fortinet
FortiDDos DDoS Attack Mitigation Guide - Fortinet
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
Source rate limiting<br />
Source rate limiting<br />
Dynamic filtering<br />
When a limited number of sources are available to a bot-master, he/she can use them<br />
to aggressive send packets. These high rate packets can burden the server. Multithreaded<br />
attacks cause such patterns of attack. By identifying outlier IP addresses that<br />
break norms, you can deny them access to excessive bandwidth. Since IP addresses<br />
in such attacks are not predictable, it is important to keep track of millions of IP<br />
addresses and their behavior to isolate outliers. Such isolation can only be done in<br />
silicon and it is difficult to achieve using software only techniques due to excessive<br />
memory bandwidth requirements.<br />
Static filtering is a common technique in firewalls, switches and routers and is usually<br />
achieved using Access Control Lists (ACLs). Dynamic filtering is required when the<br />
attack and the attackers change constantly. Dynamic filtering is done by identifying<br />
undisciplined behavior and punishing that behavior for a short time by creating a shortspan<br />
filtering rule and removing that rule after that time-span.<br />
Active verification through legitimate IP address matching<br />
Anomaly recognition<br />
Protocol analysis<br />
While SYN Proxy is a great technique for anti-spoofing, every time there is a SYN flood,<br />
within a short duration, if the appliance keeps sending SYN/ACK packets back, that<br />
would add too much outbound traffic. To avoid such reverse flood, it is necessary to<br />
cache identified legitimate IPs in to a memory table for a limited period of time and<br />
then letting them go without the SYN proxy check. It is quite possible for the attackers<br />
to misuse such holes, therefore it is necessary to have further checks on legitimate IP<br />
addresses by rate limiting zombies which are able to complete 3-way-handshakes.<br />
Most <strong>DDoS</strong> attacks are written using scripts which continuously vary a few parameters<br />
in the network packets. By performing anomaly checks on headers, state and rate, an<br />
appliance can filter out most attack packets which otherwise would pass simple<br />
firewall rules.<br />
Similar to header, state and rate anomalies, further protocol analysis can bring out<br />
issues that would otherwise pass through a generic firewall.<br />
Forti<strong>DDoS</strong> <strong>DDoS</strong> <strong>Attack</strong> <strong>Mitigation</strong> <strong>Guide</strong><br />
28-100-167076-20120501 13<br />
http://docs.fortinet.com/ • Feedback