Fortinet PowerPoint Template

First Quarter, 2012

Mini

March 31, 2014

7th and 8th August 2013, Montevideo Uruguay.

Mini

Xtreme Team 2013 FortiDDoS

March 31, 2014

1
2 3 4

DDoS Overview

DDoS Solutions
Fortinet DDoS Labs

Remembering the OSI Model....

The Open Systems Interconnection (OSI) model is a conceptual model that characterizes and standardizes the internal functions of a communications system by partitioning it into abstraction layers.

What is a DoS Attack?

An attack designed to take a resource, application or service and deny access to legitimate users

TERMINOLOGY
DoS Denial-of-Service DDoS Distributed Denial-of-Service LDoS Low-Rate Denial-of-Service PDoS Permanent Denial-of-Service PPS Packets Per Second

Type of DoS Denial of Service

Denial-of-service attack (DoS attack) is an attempt to make a machine or network resource unavailable to its intended users. DDoS Distributed denial of service: occurs when multiple systems flood the bandwidth or resources of a targeted system, usually one or more web servers LDoS Low-Rate Denial of Service: LDoS attack exploits TCPs slow-time-scale dynamics of retransmission time-out (RTO) mechanisms to reduce TCP throughput. PDoS Permanent Denial of service: APDoS, is an attack that damages a system so badly that it requires replacement or reinstallation of hardware. PDoS attack exploits security flaws which allow remote administration on the management interfaces of the victim's hardware, such as routers, printers, or other networking hardware.

Example of attack
Web Server

Traffic
10000 1000 100 10 1

X
50 1

CPU/MEM
100

Application Targeted DDoS L7

Target well known, and required services
Email/SMTP, DNS, Web/HTTP, SQL, SSH

Require sophisticated tools able to update and adapt

These exist today

Deliberately avoid high bandwidth usage to keep low (and slow) Application based DDoS is on the increase accounting for a quarter of all attacks Continuously evolving to evade detection of the attack and protect the identity of the attacker

Type of Attack
Volumetric Attack Designed to consume available Internet bandwidth or overload server resources. Typical examples SYN Flood, UDP Flood, ICMP Flood, SMURF attacks. Application Layer Attacks More sophisticated, attractive to the attacker since they require less resource to carry out (botnet costs) Target vulnerabilities in applications to evade flood detection strategies Cloud Infrastructure Attacks Cloud solutions can turn the Internet in the Corporate WAN. Modern attackers target the full range of cloud infrastructure (firewall, mail & web servers) Mitigation can be complex and any attack can impact multiple customers

Spoofed Attacks
Fewer machines Limited Power

Non Spoofed Bot Clients

More machines Higher Power

Bot Servers
More Power More Bandwidth Socially Engineered More with less

Whos likely to be interested in a DDoS? Companies that are/have been targets by Denial of Service attacks Hosting or Cloud provider services Ecommerce Online Gaming & Gambling Medium and larger Enterprises with an internet presences Any company that has recently been or is actively being attacked

Some Traditional Attacks

SYN Flood
Targets connection table resources Layer 3 attack Target flooded with TCP SYN packets

UDP Flood
Targets CPU and Network traffic resources

Layer 3 attack
Flood server with random UDP connections

Some Traditional Attacks ICMP Flood (SMURF, Ping Flood)

SMURF
Packets sent with source being a false IP
Layer 3 Attack Turns server into an Attacker and consumes resources

Some traditional attacks Ping Flood

Echo requests sent without waiting for reply

Layer 3 Attack
Consumes bandwidth One common method of combating a ping flood attack is to block ICMP traffic.

The Slowloris Attack

Targets HTTP from a single client machine

Not new, dates from 2009

Opens a connection to a web server

Not all servers are vulnerable

Sends legitimate, but partial, never ending requests

Send something to prevent a timeout

Sockets held open

No more sockets no more service

GET HEAD POST

X-a

Myths about DDoS attacks It happens to others Software fixes can solve DDoS attack issues IPTABLES can stop DDoS attacks Webhost will take care of DDoS attacks ISPs of the world co-operate ACLs on switches/routers can stop DDoS attacks Pipes will fill any way whats the point Law enforcement is easy to approach in case of DDoS attacks

DoS Protection Options

Scrubbing Service from Internet or Cloud Service Providers Model: Managed service subscription model. Usually separate detection and mitigation Pros: Easy sign up and deployment Cons: Expensive, inflexible, costs can rise during an attack

Firewall / IPS Model: Integrated device for FW/IPS and DDoS prevention Pros: Single device, simplified architecture, less units to manage

Dedicated Device Model: Inline detection, mitigation and reporting. Auto detection of a wide range of DDoS attacks Pros: Cost effective, no unpredictable or hidden charges. Multi-layer, accurate, fast, scalable and easy to deploy Cons: Additional network element

Cons: Not designed to detect/block sophisticated DDoS attacks; typically requires an update license,

What about botnets....

In its most basic form, a botnet is a group of computers that have been infected with malware that allows its controller (or master) to take some measure of control over the infected machine. Is used by its master to perform a range of unsavory activities without the knowledge of the victim. Once infected with botnet malware, the computer becomes a mindless zombie ready to do the bidding of its master.

Cybercriminals use botnets to generate revenue in many different ways:

DDoS attacks Spamming Financial Fraud Search Engine Optimization (SEO) poisoning Pay-per-Click (PPC) fraud Bitcoin mining Corporate and Industrial Espionage

How could I be infected with a botnet? Drive-by download: Simply visiting a malicious site with a PC that hasnt been kept current with security patches and antivirus can download and execute malware on the users PC, thus adding to that botnets ranks. Email: A more traditional yet still popular method of botnet infection is through a user opening email with malicious content, often sent by someone the user knows and trusts (whose system is likely infected with a botnet). Pirated software: Malware developers often hide malicious code inside a software download, which then installs itself on a victims machine when the user opens the executable.

How to determinate an infection has occured

System running slower than usual
Hard drive LED is flashing wildly even though its in idle mode Files and folders have suddenly disappeared or have been changed in some fashion A friend or colleague has informed the user that they have received a spam email from their email account A firewall on the computer informs the user that a program on the PC is trying to connect to the Internet A launch icon from a program downloaded from the Internet suddenly disappears More error messages than usual are popping up An online bank is suddenly asking for personal information its never required before

Agenda

1
2 3 4

DDoS Overview

DDoS Solutions
Fortinet DDoS Labs

Anti DDoS appliances.. Carrier DDoS mitigation solutions Useful for global networks and carriers and ISPs

Based on IP flow-based and deep packet inspection technologies protecting the entire network
Solutions too expensive for individual IDCs (Internet Data Center), webhosts or web properties. Solutions designed around early 2000. cannot mitigate new generation od DDoS attacks which involve botnets that mimic legitimate clients.

Anti DDoS appliances

Custom logic (FPGA or ASIC) based internet data center (IDC), web hosting and web property DDoS mitigation solutions
They work to protect one or several Internet links.
The behavioral solutions are implemented in custom hardware logic and provideline rate performance for large attacks.

These solutions are cost-effective and effective for IDCs, webhosts and web properties.

Anti DDoS appliances

Software based web property DDoS mitigation solutions

These solutions are useful for smaller web properties with very minimal traffic. The behavioral solutions are implemented in off-the-shelf CPUs and have issues at large attack traffic volumes in terms of keeping up.

Some appliances have IPS functionality implemented in hardware but have their DDoS mitigation logic in software and suffer from the same issues.

Hardening from a DDoS point of view in enterprise Firewalls, switches, Intrusion Detection Systems (IDS), Intrusion Prevention Systems (IPS) are not enough. Upcoming techniques
SYN Proxy: SYN Proxy is a mechanism, usually done by intermediate appliances that sit before the actual server and proxy the responses. Until the spoofed IP or unspoofed IPs respond with the ACK, the connection requests are not forwarded.

More technics

Connection limiting: Too many connections can cause a server to be overloaded. By limiting the number of new connection requests, you can temporarily give the server respite.

Just one more......

Aggressive Aging: Some botnet attacks involve opening a legitimate connection and not doing anything at all. Such idle connections fill up the connection tables in firewall and servers. By aggressively aging such idle connections, you can provide some relief to them.

Attack Tools
Many and varied
Configurable Perl scripts, executables, JavaScript

Windows, OSX, Android

Distributed as
Stress Tester Utilities Development Toolkits Malware

Used to create
Individual attacks

Voluntary hacktivist attacks

Botnet driven attacks
booster scripts

Most popular tool LOIC (low Orbit Ion Cannon) Low Orbit Ion Cannon (LOIC) is an open source network stress testing and denial-of-service attack application, written in C#.

Software packet generators Nemesis Hping T50 Rude and crude Scapy D-ITG Pktgen Packet generator Packet excalibur Packgen and much more in this site http://www.protocog.com/trgen.html

Type of testing attacks Over the Internet, one can launch Layer 3, 4 or 7 attacks. Example of Layer 3 attacks are protocol floods such as ICMP floods, TCP floods,fragment floods. Example of layer 4 floods are port floods (TCP or UDP). Example of layer 7 floods are URL floods. In this attack, a single URL is continuously attacked from multiple sources.

Agenda

1
2 3 4

DDoS Overview

DDoS Solutions
Fortinet DDoS Labs

Finally! Lets talk about FortiDDoS!!

FortiDDoS Hands On!

Value Proposition

Continuous and Adaptive Learning

Device information

Root access is not available for end-users and partners, SEs can get the password in specific use cases. Password is stored based by serial number Limited CLI available through Console or SSH
Default user account/password:

fortiddos/rootpasswd

Behavioral Analysis and Rate Based System No signatures! Because the FortiDDoS uses behavior and rate-based analysis, it provides positive security model for protection against attacks the hackers havent even thought up yet. No administrative intervention is required, and the Intrusion Gateway is on guard 24/7, automatically protecting your network systems and bandwidth.

Overall System Architecture FDD100A

Data
Data

PCI Bus

Management

Overall System Architecture FortiDDoS-300A

Data Data Data Data Data Data

Management

FortiDDoS-100A
2U Appliance provides dual link protection
Specification
LAN WAN FortiASIC RAM Storage 2 x 1G (copper and optical) 2 x 1G (copper and optical) 2 x FortiASIC-TP1 4G 1TB HDD

FortiDDoS-100A

Management
Power Protection

1 x RJ45 10/100/1000
Single AC 1Gbps full duplex

FortiDDoS-200A
3U Appliance provides protection for up to 4 links
Specification
LAN WAN FortiASIC RAM Storage 4 x 1G (copper and optical) 4 x 1G (copper and optical) 4 x FortiASIC-TP1 8G 2 x 1TB HDD RAID

FortiDDoS-200A

Management
Power Protection

1 x RJ45 10/100/1000
Dual Redundant AC 2Gbps full duplex

FortiDDoS-300A
4U Appliance provides protection for up to 6 links
Specification
LAN WAN FortiASIC RAM Storage 6 x 1G (copper and optical) 6 x 1G (copper and optical) 6 x FortiASIC-TP1 8G 2 x 1TB HDD RAID

FortiDDoS-300A

Management
Power Protection

1 x RJ45 10/100/1000
Dual Redundant AC 3Gbps full duplex

FortiDDoS = Continuous Protection

24x7 365 days

Deployment Scenarios

Traffic Bypass & FortiBridge

Virtual Partitions (VID) = multiple Protection Profiles

Deployment Scenarios (Contd.)

Internal vs. External Pairing External Pairing

Network Requires external device is configured with a mirrored port Load for copying packets is handled by external device

Internal Pairing
No External Configuration required Load for copying packets is handled by FortiDDoS
Some bandwidth taken out in order to copy packets, 1.4 GBPS channel is new limit

if traffic exceeds about 700mbps(full duplex) it will be dropped

Setting up an Asymmetric Pair

Network

Internet

Internet

Asymmetric Pair

Baseline Building

How Does It Work?

Packets/Source/Second SYN Packet/Second Connection Establishments/second SYN Packets/Source/Second Connections/Second Concurrent Connections/Source Concurrent Connections/Destination Packets/Port/Second Fragmented packets/second Protocol packets/second Same URL/second Same UserAgent/Host/Referer/Cookie/Second Same User-Agent, Host, Cookie, Referer/Second Anti-Spoofing checks Associated URLs heuristics
Can reset server connections upon overload

Too many hoops to cross before a set of malicious packets can go through.
Prevent Rate, Policy, State violations, Stealth, Slow, Fast Attacks Quick blocking (< 15s), unblocking and revaluation (every packet) to avoid false positives

FortiASIC-Traffic Processor (TP)

No CPU in the path of the packets No fast or slow path No IP/MAC address in the path of the packets
Network, Transport, Application Layer Header Anomaly Prevention

Anti-spoofing

State Anomaly Prevention

Inbound and outbound packets

Virtualization

Network, Transport, Application Layer Rate Anomaly Prevention

Application Layer Heuristics

Decision Multiplexer
Dropped packets

Allowed packets

Network, Transport, Application Layer Access Control Lists

Dark Address, Geolocation, IP Reputation

Source Tracking

Control and Statistics

SNMP Traps/MIBs, Syslog, Event Notifications

Event/ Traffic Statistics, Graphs

Threshold Wizard, Continuous Adaptive Threshold Estimation

Policy Configuration, Archive, Restore

1
2 3 4

DDoS Overview

DDoS Solutions
Fortinet DDoS Labs

LAB FortiDDos cookbook installation Guide The objetive of this lab its to be like a cookbook - first FortiDDoS installation . We now not all partners have an ITF FortiDDoS, so we want to help in a possible first implementation or PoC. Labs components:
1 x FortiDDoS 200. firmware version: 3.2.1.108 1 x ubuntu web server (target)

1 x backtrack host (hacker)

1 x windows (management host)

Lab Diagram
Web Server

.30

WAN 1 LAN 1

200.1.1.0/ 24

10.1.1.0 /24

Steps: Required information before start!

IP Management workstation Address: 192.168.1.xx/24 connected in the management port.

GUI - Password Recovery Procedure

Connect to Console and login using default user (fortiddos) and its correct password (new password if changed from default)
Fortiddos is OS user, new admins are considered GUI users

Issue CLI command: resetguipasswords

Connecting to the FortiDDoS GUI Management Access DEFAULTS

ONLY via dedicated Management Port

IP:192.168.1.1 (Factory Default)

Access: HTTPS(443), (NO HTTP option) Username: fddroot https://192.168.1.1 Password: rootpasswd

HTTPS://192.168.1.1
User: fddroot Password: rootpasswd

Update the appliance with the last available version in the support FTP

Upgrading device......

Search for the .img file downloaded from the support FTP

Click on manage-> upgrade system

Execute a full factory reset in the Appliance Take care with time, this step could take up to 2.5 hours!! This step will not be required if its a new box. Manage-> Global -> Factory Defaults

Select what do you want to reset. Look at the warning notification!

Click on manage-> Global -> Factory Reset

Graphical User interface (GUI)

Current logged user

Configuration - all changes to security settings are there Manage First time setup / IPoptions addresses, time, users etc. Less that in a Fortigate Show All reports can be found here Manage Event information is found here, not used a lot

Select a VID

S/N and license status Time period

GUI - CONFIGURE
Configure -> Current VID

Configuration menu is split in two sections: CURRENT VID and GLOBAL

When configuring the VID section make sure to select the correct VID Configure -> global Layer 3, 4 and 7

Each section is split up in the to different protection features allow for granular application

System date

Manage -> Global -> Device Configuration -> system date

Management IP Address

Manage -> Global -> Device Configuration -> IP Address

Creating roles: administrator

Manage ->configuration-> roles

Creating roles: Operator

BEST PRACTICE: create operator users for each VID administrator

Creating roles: Super_user

Creating users

How it looks create user

Checking physical ports! In case, the fortiDDoS its a 200 or 300, we must need to set fiber or copper. By default its copper.
Always the same type of interface in the Important: WAN1 and LAN1 must be the same type. (both onsame fiber pair

or copper), could not be possible protect the same link with two types in the FortiDDoS. Configure -> Interface settings

Management Path Failure

Emergency Bypass

Important to know!!! Block dark addresses by default But what it means dark addresses? : all unreachable network hosts on the Internet Configure -> current VID -> dark address

configure -> current VID -> dark address 1 means enable 0 means disable

Check the operation mode. It must be in detection mode the first time (unchecked on the all VIDs). Setup the configuration mode in learning mode at least 2 days, an ideal period could be 15 days with normal traffic. (the longer the better!!) Keep monitoring during this period!

Clicking in the checkbox enable automatically the prevention mode

My Lists The My Lists feature helps users to define a list of most common ports (TCP / UDP) or Protocols Default sets are available Setting the My Lists based on immediate past traffic is the easiest way to begin. FortiDDoS provides you with an easy wizard.
Configure > Current VID > My Lists > Auto Configure

Configuring Virtual Identifiers (Protection Profiles)

Enable this option, depending on the threshold, the FortiDDoS could change the VID

Defining the subnet per VID

Starting the wizard! Baseline report

You need to have a traffic report in place to start the wizard

Show > Current VID > Reports > Traffic Statistics Show -> current VID -> reports traffic The configured lists are utilized in two places inhistory the user interface: While configuring thresholds After the baseline report (evaluation time) the FortiDDoS have parameters While showing traffic graphs. for autoconfigure the thresholds

Max of 512 objects per list

Adaptive Learning and My Lists While FortiDDoS continuous collects traffic statistics for each and every TCP, UDP port and ICMP type/code, it also limits the number of ports for the adaptive threshold estimations to 512 each (per each VID). The 512 port limit for the periodic estimated thresholds that the FortiDDoS device computes are restricted to the TCP/UDP ports listed within the My Lists. Minimum thresholds for TCP/UDP ports not listed on the My Lists are not adjusted by the Adaptive Learning Engine.

Blocking by suspicious countries! Blocking by geo-location

Configure -> Global -> Access control list -> layer 3 -> Geo-Location

Deny/Allow sources If we know a suspicious IP address, it could be a best practice blocked since the beginning.

configure-> Access Control list -> layer 3 > Deny/allow sources. If you have IPs blocked in the firewall because of a strange behavior in the past, you could put it here!

IP Reputation It could be possible to enable a web reputation service based on the fortiguard lists. Configure -> GLOBAL -> Access Control List -> layer 3 -> IP Reputaiton This service its optional and need to be licensed separated
SKU: FC-10-01H00-140-02-DD Enable IP reputation for all VIDs

Proxy IPs

Configure -> Access control list -> proxy ID Allows to detect proxy servers and prevents access at all blocking that source.

IPv6 Inspection

Configure -> Global -> operating mode IPv6 ready! Enables dual stack

Best practices!:Advanced Options. Configure -> Current VID -> Advanced Options -> Feature Controls -> Layer 4 -> TCP State Machine

Session feature controls:

Configure -> Current VID -> Advanced Options -> Feature Controls -> Layer 4 -> TCP State Machine

Foreign Packet Validation: prevent spoof packet

Aggressive Aging Feature Control

Slow data transfer TCP: helps to prevent slowloris and similar attacks Age old TCP Connections Inbound: the FortiDDoS will age out the idle connections protecting memory resources from the internal target.

Best Practices: Advanced Options (2) Configure -> Current VID -> Advanced Options -> Feature Controls -> Layer 7 -> Sequential Access
relates to the feature which ensures that no single IP address retrieves same URL Configure -> Current VID -> is Advanced Options -> back to back without accessing any other URLs. This a normal scripted access Feature Controls -> Layer 7 -> Sequential Access behavior and shows anomalous behavior. It helps identifying bots. URLs Per Source: relates to the feature which ensures that no single IP address retrieves more URLs/observation period than defined under HTTP Advanced menu. Mandatory HTTP Headers: relates to the feature which ensures that certain HTTP Headers are always present in a GET access to the URL. These headers are further defined in the HTTP Advanced menu.

Enabling prevention mode - blocking! Once the learning period is over and you are satisfied with the threshold settings, set the system to Prevention mode. main menu, select Configure > Global > Operating Mode.

One click adjustment FortiDDoS have 4 possible options to adjust and configure all the parameters.
Factory results Adjust minimum Easy setup

System reccomended

Lets undestand the 4 options!

One click adjustment Configure-> CURRENT VID -> Blocking Threshold -> layer 7 -> One click Adjustment Factory defaults: This option allows you to set the thresholds in a VID to factory defaults which is the line rate value. Adjust Minimum thresholds: You can adjust the minimum thresholds up or down by a certain percentage. Easy Setup: This option is useful when the appliance has to be deployed in an unknown environment without much time left for training the appliance. System Recommended Thresholds: This is the most common and recommended way to set the appliance threshold. The system recommended values are based on Traffic Statistics Report generated as part of the base-lining process.

One click adjustment

Mitigating attacks in just one click

Prevention/Detection Mode

Passive Detection and Active Prevention

Operating Mode

Deploy the unit. Best practice: Continue running in detection mode while monitoring the thresholds If the system selects packets to drop that are legitimate, adjust the thresholds/check ACLs and feature controls. If the system reports passing packets that should have been dropped, lower the thresholds or check ACLs and feature controls.

Thats it with the configuration! And now lets the FortiDDoS learning and us we are going to know more about forti-best practices!

Baseline Monitor Period Learning should be done on typical traffic for at least one week (7 Days).

Note: The FortiDDoS never stops learning traffic patterns and continuously adjusts traffic profiles using an Adaptive Learning Engine. The initial learning period should be attack-free, and should be long enough to be a representative period of normal network activity and should be long enough to encompass both seasons of high and low activity. Seven days will often provide a reasonable profile of normal traffic.

Adaptive Threshold Estimation Set it and Forget It

Port 80 Traffic in Mbps
600
Adaptive Threshold Not an attack due to gradual increase In traffic due to a trend!!

500

Uppermost Threshold Typical Attack

400
Fixed Minimum Threshold

Traffic

Observation

300

Forecast Threshold

200
Fixed Threshold

100

0
3 n04 4 5 n06 6 n07 7 8 n09 9 n10 0 n03 n05 n08 n11 l-0 l-0 l-0 l-0 l-0 l-0 l-0 l-1 Ju Ju Ju Ju Ju Ju Ju Ju Ja Ja Ja Ja Ja Ja Ja Ja Ja Ju l-1 1

24x7 365 days

Month

IntruGuard Devices confidential and proprietary

Adaptive Thresholds Adapative Thresholds fine tunes/automatically adjusts configured minimum thresholds over time by predicting traffic flows based on current and past statistics Adaptive Threshold Limit resticts the theshold adjustments to a set maximum percent (default 150%) above the set mininum threshold value

Where should the Threshold be to detect floods?

Port 80 Traffic in Mbps

450

Or Here?

400

350

300

Here Here

250

Mbps
200 150 100 50 0 Apr-01

Sep-02

Jan-04

May-05

Oct-06

Feb-08

Jul-09

Nov-10

Apr-12

Aug-13

Month

Flood Threshold Detection Needs Determine a trend over time

E.g. gradual increase in Web traffic over a two month period due to increase in subscribers

Determine a seasonal trend or cycle

E.g. web traffic increases in the morning hours, peaks in the afternoon and declines late at night

Determine seasonal variability

E.g. web traffic fluctuates more during peak hours but are hardly vary at all during night

Determine aberrant behavior

E.g. web traffic is too deviant from its normal and forecasted traffic

Types of Forecasting Models

Types and Methods of Forecasting

Native Methods
eye-balling the numbers; Based on experience, judgment Qualitative
Port 80 Traffic in Mbps
450

Formal Methods --- systematically reduce forecasting errors;

time series models (e.g. exponential smoothing); causal models (e.g. regression). Quantitative based on data, statistics.

400

350

300

250

Mbps
200 150 100 50 0 Apr-01

Focus here on Time Series Models

Assumptions of Time Series Models

There is information about the past; The pattern of the past will continue into the future.

Sep-02

Jan-04

May-05

Oct-06

Feb-08

Jul-09

Nov-10

Apr-12

Aug-13

Month

Complicating Factors with Simple Smoothing

Simple Exponential Smoothing does not allow you to predict the future accurately.
Must be adapted for data series which exhibit a definite trend Must be further adapted for data series which exhibit seasonal patterns

SYN FLOOD PREVENTION - 1 SYN flood thresholds are bi-directional and on a per VID basis as well as per destination (corresponding to the most active destination). You can control these individually. FortiDDoS store non-spoofed IP addresses that have done a threeway handshake successfully in a large table called Legitimate IP (LIP) Address table. This table retires entries every 5 minutes. Therefore this table has IP addresses which have recently connected successfully. Under SYN flood situation, i.e. when the SYN flood threshold is crossed, the LIP table is used to validate new connections. If the new connection request is from an address in this table it is allowed otherwise it is denied.

Foreign Packet Validation When enabled TCP state machine will ensure that foreign TCP packets without an existing TCP connection entry will be dropped (disabled by default to prevent issues when box is first deployed (wait for an hour after deployment before enabling this). Some reasons you will have high numbers:
Detection Mode: Box thinks it dropped packets and therefore removed session

Time Out Differences between Servers and IG appliance: TCP time out on DDOS is mostly lower then configured on servers. Most of the time the dropped packets are just reset, so can be ignored
HTTP Browser Behavior: people surfing from one site to another doesnt close the session to the server (only after closing browser)

Because number is high, source IP info is not stored!

Analyzing Attacks The first indication of that an attack has been detected will be the event monitor. If you email event notifications are enabled, you can receive a summary of events to on your PC, workstation, PDA or even your cell phone. The event notice summarizes the type of attack and the number of dropped packets to indication of the attack size/scope. Attacks lasting for 5 minutes or more will be represented as spikes in a graphical reports within the GUI. Examples:
Show > Aggregate Drops lists packets dropped at each layer allowing you to further refine your search to Layer 3, Layer 4 or Layer 7. Show > Reports > All lists a dashboard like summary of all Tops Attack Types

Aggregate Drop Traffic

This graph shows the aggregate dropped traffic and gives you visibility into excess traffic thats getting filtered by the appliance. Packets are dropped due to multiple reasons and are shown in different colors. These are drilled down further in subsequent graphs on subsequent pages.
Legend Type Layer Layer Layer Layer 2 3 4 7 Summary Over 1 month Packets Dropped/3 Hours Maximum Minimum 0 0 71,796,072 0 375,005,802 300 303 0 Average 0 21,262,421 5,899,631 1 Total Packets Dropped 0 5,273,080,458 1,463,108,503 304

Packets Dropped at Layer 3

Legend Type Protocols TOS IPv4 Options Fragmented Packets L3 Anomalies Source Flood Misc. Source Flood Destination Flood Misc. Destination Flood Dark Address Scan Network Scan

Summary Over 1 month Packets Dropped/3 Hours Maximum Minimum 8,225,652 0 0 0 0 0 1,157 0 11,870,534 0 57,013,194 0 289,674 0 2,441,260 0 0 0 0 0 0 0

Average 637,875 0 0 7 79,834 20,532,304 1,168 11,231 0 0 0

Total Packets Dropped 158,193,111 0 0 1,873 19,798,847 5,092,011,434 289,675 2,785,518 0 0 0

This graph shows the dropped traffic due to certain Layer 3 reasons which are shown in the table below.

Packets Dropped at Layer 4

Legend Type TCP Options SYN Packets L4 Anomalies TCP Ports UDP Ports ICMP Types/Codes Port Scan Misc. Drops for Port Scan Packets Per Connection Misc. Connection Flood Zombie Flood SYN Packets Per Source Excessive Concurrent Connections Per Source Excessive Concurrent Connections Per Destination TCP Packets Per Destination

Summary Over 1 month Packets Dropped/3 Hours Maximum Minimum 0 0 278,119,806 0 12,549,983 300 7,194,921 0 27,297 0 0 0 0 0 0 0 71,585 13,368,886 36,527,319 109 0 0 0 0 0 0 0 0 0 0

This graph shows the dropped traffic due to certain Layer 4 reasons which are shown in the table below. More than 1 billion packets were dropped due to SYN flood during this period.
Average 0 5,034,862 54,866 165,534 908 0 0 0 0 6,992 93,770 234,548 0 0 0 Total Packets Dropped 0 1,248,645,939 13,606,809 41,052,592 225,429 0 0 0 0 1,734,081 23,254,968 58,168,070 110 0 0

And over 58 million packets dropped due to few specific IPs sending too many SYN packets/second.

Packets Dropped at Layer 7

This graph shows the dropped traffic due to certain Layer 7 reasons which are shown in the table below. The appliances monitor HTTP opcodes, URLs and anomalies and can pinpoint the excesses in any one of the dimensions.

Legend Type Opcode Flood HTTP Anomalies URL Flood

Summary Over 1 month Packets Dropped/3 Hours Maximum Minimum 303 0 0 0 0 0

Average 1 0 0

Total Packets Dropped 304 0 0

Top Attacks and Top Attacker Reports

FortiDDoS appliances give you a visibility into the Top Attacks, Top Attackers, Top Attacked Destinations, etc. for the last 1 hour, 1 day, 1 week, 1 month, 1 Year. These IPs are obfuscated.

Overall View Over a Month

These two graphs here depict the daily traffic over a months period in terms of packet rate and Mbps respectively. The upper half is outbound traffic and the lower half (in negative) is the inbound traffic. You can see two peaks which correspond to two large inbound attacks.

The purpose of the appliance is to maintain the normal traffic and only pass whats legitimate. Thats what it is doing here by dropping the excess packets (shown as white ear under the maroon lines). Whats being allowed is the blue area.

View of another link

This maroon line shows whats incoming and the blue and green lines show what gets out of the appliance after DDoS mitigation based on behavioral analysis. The white envelope is the attack thats getting dropped.

This graph shows the second link on the same device. This link has larger and continuous attacks over the months period. As you can see the appliance maintains the normal behavior and drops excessive packets.

Count of Unique Sources

This graph gives you a visibility into count of unique sources coming to your network. As you can see here, there is a large peak during Week 21 which corresponds to an attack. The number of unique sources almost reached 1 million. These could be spoofed IP addresses too.

Number of Established TCP Connections

This graph shows the number of established TCP connections. Since there is no obvious peak here, and the previous graph of count of unique sources had a large peak, it means the attackers were primarily spoofed IPs.

Application Targeted DDoS

This graph shows the number of established TCP connections that any single source made. The appliance monitors up to 1 million sources. These are clipped to a certain threshold based on past behavior.

Lets play! Hping commands! UDP Flood (bandwith) hping3 --flood --udp -p 80 -d 14 200. 200.1.1.2 SYN Flood (TCP 80) hping3 --flood -S -p 80 200.1.1.2
More commands

hping3 q n S w 64 p 80 --flood (--fast or faster) -rand-source <web server destination-ip>

Useful link! http://wiki.hping.org/94

Sending the attack

Another attack

THANKS!!!!!

March 31, 2014