FortiDDos DDoS Attack Mitigation Guide - Fortinet
FortiDDos DDoS Attack Mitigation Guide - Fortinet
FortiDDos DDoS Attack Mitigation Guide - Fortinet
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
<strong>Attack</strong>s to test functionality and performance<br />
can have 65,536 different values. It is important for an operating system to have some<br />
sort of a mechanism in order to control the identification numbers correctly. In this<br />
flood, the IP-ID file is randomly varied.<br />
IP random fragment flag, offset flood<br />
IP-V4 header has a field called Flags related to fragmentation. This 3-bit flag has a<br />
reserved bit followed by Don't Fragment (DF) and More Fragment (MF) bits. A flood<br />
that continuously varies the above bits can confuse network devices. Just after the<br />
flags, there is a 13-bit fragment offset field. A flood that continuously varies this field<br />
can also cause confusion.<br />
IP random TTL flood<br />
IPv4 header has an eight-bit time-to-live (TTL) field that helps prevent datagrams from<br />
going in circles on the Internet. Each packet intermediate network appliance that a<br />
datagram crosses decrements the TTL field by one. When the TTL field hits zero, the<br />
packet is no longer forwarded by a packet switch and is discarded. This flood sends<br />
packets with random TTL values.<br />
IP random protocol<br />
IPV4 protocol supports up to 256 protocol types. In this flood, the protocol field value<br />
is randomly changed while (may be) keeping rest of the packet header values similar.<br />
UDP checksum error<br />
UDP header has a checksum field. By sending a wrongly computed checksum value,<br />
packets with anomalous header can be flooded on the network.<br />
Non-spoofed ICMP echo reply flood<br />
ICMP echo request is typically used to identify the presence of a machine on the<br />
network. The machine responds with a ICMP echo reply. This flood that continuously<br />
sends ICMP echo replies to an IP address. The sources are non-spoofed.<br />
Spoofed ICMP echo reply<br />
Unlike above, this flood uses spoofed IP addresses to send ICMP echo replies.<br />
Un-spoofed ICMP type/code flooding<br />
ICMP allows 65535 combinations of type/codes. This is an un-spoofed flood from<br />
limited number of sources that randomly send a type/code flood.<br />
Forti<strong>DDoS</strong> <strong>DDoS</strong> <strong>Attack</strong> <strong>Mitigation</strong> <strong>Guide</strong><br />
28-100-167076-20120501 32<br />
http://docs.fortinet.com/ • Feedback