Posted on by patrickmarcpreuss

Fortigate DOS Protection

It is a good idea to do basic DoS Protection, even internaly.

  1. Configuring DoS policy
  2. Verification
  3. diagnose ips anomaly list
  4. Releasing the blocked senders
  5. diagnose ips anomaly clear
  6. Links

Configuring DoS policy

This will configure a basic DoS Policy for Traffic with default values and block violations for 2 Minutes.

config firewall DoS-policy
   edit 1
        set name "ALL DoS-Policy"
        set interface "internal1"
        set srcaddr "all"
        set dstaddr "all"
        set service "ALL"
        config anomaly
            edit "tcp_syn_flood"
                set log enable
                set quarantine attacker
                set quarantine-expiry 2m
                set threshold 2000
            next
            edit "tcp_port_scan"
                set log enable
                set quarantine attacker
                set quarantine-expiry 2m
                set threshold 1000
            next
            edit "tcp_src_session"
                set log enable
                set quarantine attacker
                set quarantine-expiry 2m
                set threshold 5000
            next
            edit "tcp_dst_session"
                set log enable
                set quarantine attacker
                set quarantine-expiry 2m
                set threshold 5000
            next
            edit "udp_flood"
                set status enable
                set log enable
                set action block
                set quarantine attacker
                set quarantine-expiry 2m
                set threshold 2000
            next
            edit "udp_scan"
                set status enable
                set log enable
                set action block
                set quarantine attacker
                set quarantine-expiry 2m
                set threshold 2000
            next
            edit "udp_src_session"
                set status enable
                set log enable
                set quarantine attacker
                set quarantine-expiry 2m
                set threshold 5000
            next
            edit "udp_dst_session"
                set log enable
                set quarantine attacker
                set quarantine-expiry 2m
                set threshold 5000
            next
            edit "icmp_flood"
                set log enable
                set quarantine attacker
                set quarantine-expiry 2m
                set threshold 250
            next
            edit "icmp_sweep"
                set log enable
                set quarantine attacker
                set quarantine-expiry 2m
                set threshold 100
            next
            edit "icmp_src_session"
                set log enable
                set quarantine attacker
                set quarantine-expiry 2m
                set threshold 300
            next
            edit "icmp_dst_session"
                set log enable
                set quarantine attacker
                set quarantine-expiry 2m
                set threshold 1000
            next
            edit "ip_src_session"
                set log enable
                set quarantine attacker
                set quarantine-expiry 2m
                set threshold 2000
            next
            edit "ip_dst_session"
                set log enable
                set quarantine attacker
                set quarantine-expiry 2m
                set threshold 5000
            next
            edit "sctp_flood"
                set log enable
                set quarantine attacker
                set quarantine-expiry 2m
                set threshold 2000
            next
            edit "sctp_scan"
                set log enable
                set quarantine attacker
                set quarantine-expiry 2m
                set threshold 1000
            next
            edit "sctp_src_session"
                set log enable
                set quarantine attacker
                set quarantine-expiry 2m
                set threshold 5000
            next
            edit "sctp_dst_session"
                set log enable
                set quarantine attacker
                set quarantine-expiry 2m
                set threshold 5000
            next
        end
    next
end

Verification

diagnose ips anomaly status
meter budget: 100000
meter used: 72/72
meter depth: 6

sensor active: 8
sensor pending: 0

diagnose ips anomaly config
DoS id 5 proxy 0
  0 tcp_syn_flood status 0 log 1 nac 1 action 0 threshold 2000
  1 tcp_port_scan status 0 log 1 nac 1 action 0 threshold 1000
  2 tcp_src_session status 0 log 1 nac 1 action 0 threshold 5000
  3 tcp_dst_session status 0 log 1 nac 1 action 0 threshold 5000
  4 udp_flood status 1 log 1 nac 1 action 7 threshold 2000
  5 udp_scan status 1 log 1 nac 1 action 7 threshold 2000
  6 udp_src_session status 1 log 1 nac 1 action 0 threshold 5000
  7 udp_dst_session status 0 log 1 nac 1 action 0 threshold 5000
  8 icmp_flood status 0 log 1 nac 1 action 0 threshold 250
  9 icmp_sweep status 0 log 1 nac 1 action 0 threshold 100
  10 icmp_src_session status 0 log 1 nac 1 action 0 threshold 300
  11 icmp_dst_session status 0 log 1 nac 1 action 0 threshold 1000
  12 ip_src_session status 0 log 1 nac 1 action 0 threshold 2000
  13 ip_dst_session status 0 log 1 nac 1 action 0 threshold 5000
  14 sctp_flood status 0 log 1 nac 1 action 0 threshold 2000
  15 sctp_scan status 0 log 1 nac 1 action 0 threshold 1000
  16 sctp_src_session status 0 log 1 nac 1 action 0 threshold 5000
  17 sctp_dst_session status 0 log 1 nac 1 action 0 threshold 5000

diagnose ips anomaly list

diagnose ips anomaly list
list nids meter:
id=ip_src_session     ip=113.26.159.4 dos_id=7 exp=493 pps=0 freq=0

id=tcp_src_session    ip=113.26.159.4 dos_id=7 exp=493 pps=0 freq=0

total # of nids meters: 100.

Releasing the blocked senders

diagnose ips anomaly clear

https://yurisk.info/2020/05/29/fortigate-dos-ddos-policy-configuration/

Blog at WordPress.com.