ftnt minixte13 -at fortiddos
TRANSCRIPT
-
7/22/2019 Ftnt Minixte13 -At Fortiddos
1/119
March 31, 2014
Fortinet PowerPoint Template
First Quarter, 2012
7thand 8thAugust 2013, Montevideo
Uruguay.
Mini
-
7/22/2019 Ftnt Minixte13 -At Fortiddos
2/119
March 31, 2014
Xtreme Team 2013
FortiDDoS
Mini
-
7/22/2019 Ftnt Minixte13 -At Fortiddos
3/119
DDoS Overview1
2 Fortinet DDoS3
Labs4
DDoS Solutions
-
7/22/2019 Ftnt Minixte13 -At Fortiddos
4/119
Remembering the OSI Model....
The Open Systems Interconnection (OSI) modelis a conceptual model thatcharacterizes and standardizes the internal functions of a communications system by
partitioning it into abstraction layers.
-
7/22/2019 Ftnt Minixte13 -At Fortiddos
5/119
What is a DoS Attack?
An attack designed to take a resource, application or
service and deny access to legitimate users
DoSDenial-of-Service
DDoSDistributed Denial-of-Service
LDoSLow-Rate Denial-of-Service
PDoSPermanent Denial-of-Service
PPSPacketsPer Second
TERMINOLOGY
-
7/22/2019 Ftnt Minixte13 -At Fortiddos
6/119
Type of DoSDenial of Service
Denial-of-service attack(DoS attack) is an attempt to make a machine or networkresource unavailable to its intended users.
DDoSDistributed denial of service: occurs when multiple systems flood the
bandwidth or resources of a targeted system, usually one or more web servers
LDoSLow-Rate Denial of Service: LDoS attack exploits TCPs slow-time-scale
dynamics of retransmission time-out (RTO) mechanisms to reduce TCP throughput.
PDoSPermanent Denial of service:APDoS, is an attack that damages a
system so badly that it requires replacement or reinstallation of hardware. PDoSattack exploits security flaws which allow remote administration on the management
interfaces of the victim's hardware, such as routers, printers, or other networking
hardware.
-
7/22/2019 Ftnt Minixte13 -At Fortiddos
7/119
1
10
100
10000Traffic
1000
X
1
50
100
CPU/MEM
Web Server
Example of attack
-
7/22/2019 Ftnt Minixte13 -At Fortiddos
8/119
Target well known, and required services Email/SMTP, DNS, Web/HTTP, SQL, SSH
Require sophisticated tools able to update and adapt
These exist today
Deliberately avoid high bandwidth usage to keep low (and slow) Application based DDoS is on the increase accounting for a quarter of all
attacks
Continuouslyevolving to evade detection of the attack and protect the
identity of the attacker
Application Targeted DDoSL7
-
7/22/2019 Ftnt Minixte13 -At Fortiddos
9/119
Volumetric Attack
Designed to consume
available Internet
bandwidth or overload
server resources.
Typical examples SYN
Flood, UDP Flood, ICMPFlood, SMURF attacks.
Application Layer
Attacks
More sophisticated,
attractive to the attacker
since they require less
resource to carry out
(botnet costs)
Target vulnerabilities in
applications to evade flood
detection strategies
Cloud Infrastructure
Attacks
Cloud solutions can turn
the Internet in the
Corporate WAN. Modern
attackers target the full
range of cloud
infrastructure (firewall,mail & web servers)
Mitigation can be complex
and any attack can impact
multiple customers
Type of Attack
SpoofedAttacks
Fewermachines
Limited Power
Non Spoofed BotClients
More machines
Higher Power
Bot Servers
More Power
More Bandwidth
SociallyEngineered
More with less
-
7/22/2019 Ftnt Minixte13 -At Fortiddos
10/119
Whos likely to be interested in a DDoS?
Companies that are/have been targets by Denial of Service attacks Hosting or Cloud provider services
Ecommerce
Online Gaming & Gambling
Medium and larger Enterprises with an internet presencesAny company that has recently been or is actively being attacked
-
7/22/2019 Ftnt Minixte13 -At Fortiddos
11/119
Some Traditional Attacks
SYN FloodTargets connection table resources
Layer 3 attack
Target flooded with TCP SYN packets
UDP Flood
Targets CPU and Network traffic resources
Layer 3 attack
Flood server with random UDP connections
-
7/22/2019 Ftnt Minixte13 -At Fortiddos
12/119
ICMP Flood (SMURF, Ping Flood) SMURF
Packets sent with source being a false IP
Layer 3 Attack
Turns server into an Attacker and consumes resources
Some Traditional Attacks
-
7/22/2019 Ftnt Minixte13 -At Fortiddos
13/119
Some traditional attacks
Ping Flood Echo requests sent without waiting for reply
Layer 3 Attack
Consumes bandwidth
One common method of combating a ping flood attack is to block ICMP traffic.
-
7/22/2019 Ftnt Minixte13 -At Fortiddos
14/119
The Slowloris Attack
Targets HTTP from a single client machine
Not new, dates from 2009
Opens a connection to a web server
Not all servers are vulnerable
Sends legitimate, but partial, never ending requests
Send something to prevent a timeout
Sockets held open
No more sockets no more service
GET
HEAD
POST
X-a
-
7/22/2019 Ftnt Minixte13 -At Fortiddos
15/119
Myths about DDoS attacks
It happens to others Software fixes can solve DDoS attack issues
IPTABLES can stop DDoS attacks
Webhost will take care of DDoS attacks
ISPs of the world co-operate
ACLs on switches/routers can stop DDoS attacks
Pipes will fill any waywhats the point
Law enforcement is easy to approach in case of DDoS attacks
-
7/22/2019 Ftnt Minixte13 -At Fortiddos
16/119
Scrubbing Service from
Internet or Cloud
Service Providers
Model: Managed service
subscription model.
Usually separate
detection and mitigation
Pros: Easy sign up and
deployment
Cons:Expensive,
inflexible, costs can rise
during an attack
Firewall / IPS
Model: Integrated device
for FW/IPS and DDoS
prevention
Pros:Single device,
simplified architecture,less units to manage
Cons: Not designed to
detect/block sophisticated
DDoS attacks; typically
requires an update
license,
Dedicated Device
Model: Inline detection,
mitigation and reporting.
Auto detection of a wide
range of DDoS attacks
Pros: Cost effective, nounpredictable or hidden
charges. Multi-layer,
accurate, fast, scalable
and easy to deploy
Cons:Additional network
element
DoS Protection Options
-
7/22/2019 Ftnt Minixte13 -At Fortiddos
17/119
What about botnets....
In its most basic form, a botnet is a group of computers that have been infected withmalware that allows its controller (or master) to take some measure of control over
the infected machine.
Is used by its master to perform a range of unsavory activities without the knowledge
of the victim. Once infected with botnet malware, the computer becomes a mindlesszombieready to do the bidding of its master.
-
7/22/2019 Ftnt Minixte13 -At Fortiddos
18/119
Cybercriminals use botnets to generate revenue in many
different ways:
DDoS attacks
Spamming
Financial Fraud
Search Engine Optimization (SEO) poisoning
Pay-per-Click (PPC) fraud
Bitcoin mining
Corporate and Industrial Espionage
-
7/22/2019 Ftnt Minixte13 -At Fortiddos
19/119
How could I be infected with a botnet?
Drive-by download:Simply visiting a malicious site with a PC thathasnt been kept current with security patches and antivirus can
download and execute malware on the users PC, thus adding to that
botnets ranks.
Email:A more traditional yet still popular method of botnet infection is
through a user opening email with malicious content, often sent by
someone the user knows and trusts (whose system is likely infected
with a botnet).
Pirated software: Malware developers often hide malicious code
inside a software download, which then installs itself on a victimsmachine when the user opens the executable.
-
7/22/2019 Ftnt Minixte13 -At Fortiddos
20/119
How to determinate an infection has occured
System running slower than usual
Hard drive LED is flashing wildly even though its in idle mode
Files and folders have suddenly disappeared or have been changed in some fashion
A friend or colleague has informed the user that they have received a spam email from their email account
A firewall on the computer informs the user that a program on the PC is trying to connect to the Internet
A launch icon from a program downloaded from the Internet suddenly disappears
More error messages than usual are popping up
An online bank is suddenly asking for personal information its never required before
-
7/22/2019 Ftnt Minixte13 -At Fortiddos
21/119
Agenda
DDoS Overview1
2 Fortinet DDoS3
Labs4
DDoS Solutions
-
7/22/2019 Ftnt Minixte13 -At Fortiddos
22/119
Anti DDoS appliances..
Carrier DDoS mitigation solutions
Useful for global networks and carriers and ISPs
Based on IP flow-based and deep packet inspection technologies
protecting the entire network
Solutions too expensive for individual IDCs (Internet Data Center),webhosts or web properties.
Solutions designed around early 2000. cannot mitigate new generation
od DDoS attacks which involve botnets that mimic legitimate clients.
-
7/22/2019 Ftnt Minixte13 -At Fortiddos
23/119
Anti DDoS appliances
Custom logic (FPGA or ASIC) based internet data center(IDC), web hosting and web property DDoS mitigation
solutions
They work to protect one or several Internet links.
The behavioral solutions are implemented in custom hardware logic
and provideline rate performance for large attacks.
These solutions are cost-effective and effective for IDCs, webhosts
and web properties.
-
7/22/2019 Ftnt Minixte13 -At Fortiddos
24/119
Anti DDoS appliances
Software based web property DDoS mitigation solutions
These solutions are useful for smaller web properties with very
minimal traffic.
The behavioral solutions are implemented in off-the-shelf CPUs and
have issues at large attack traffic volumes in terms of keeping up.
Some appliances have IPS functionality implemented in hardware
but have their DDoS mitigation logic in software and suffer from the
same issues.
-
7/22/2019 Ftnt Minixte13 -At Fortiddos
25/119
Hardening from a DDoS point of view in enterprise
Firewalls, switches, Intrusion Detection Systems (IDS), IntrusionPrevention Systems (IPS) are not enough.
Upcoming techniques
SYN Proxy: SYN Proxy is a mechanism, usually done by intermediate appliances that
sit before the actual server and proxy the responses. Until the spoofed IP or un-
spoofed IPs respond with the ACK, the connection requests are not forwarded.
-
7/22/2019 Ftnt Minixte13 -At Fortiddos
26/119
More technics
Connection limiting: Too many connectionscan cause a server to be
overloaded. By limiting the number of new connection requests, you can
temporarily give the server respite.
-
7/22/2019 Ftnt Minixte13 -At Fortiddos
27/119
Just one more......
Aggressive Aging:Some botnet attacks involve opening a
legitimate connection and not doing anything at all. Such idle
connections fill up the connection tables in firewall and servers. By
aggressively aging such idle connections, you can provide somerelief to them.
-
7/22/2019 Ftnt Minixte13 -At Fortiddos
28/119
Attack Tools
Many and varied
Configurable Perl scripts,executables, JavaScript
Windows, OSX, Android
Distributed as
Stress Tester UtilitiesDevelopment Toolkits
Malware
Used to create
Individual attacksVoluntary hacktivist attacks
Botnet driven attacks booster scripts
-
7/22/2019 Ftnt Minixte13 -At Fortiddos
29/119
Most popular toolLOIC (low Orbit Ion Cannon)
Low Orbit Ion Cannon(LOIC) is an open source network stresstesting and denial-of-service attack application, written in C#.
-
7/22/2019 Ftnt Minixte13 -At Fortiddos
30/119
Software packet generators
Nemesis Hping
T50
Rude and crude
Scapy D-ITG
Pktgen
Packet generator
Packet excalibur
Packgen
and much more in this site http://www.protocog.com/trgen.html
http://www.protocog.com/trgen.htmlhttp://www.protocog.com/trgen.html -
7/22/2019 Ftnt Minixte13 -At Fortiddos
31/119
Type of testing attacks
Over the Internet, one can launch Layer 3, 4 or 7 attacks.
Example of Layer 3 attacks are protocol floods such as ICMP floods,
TCP floods,fragment floods.
Example of layer 4 floods are port floods (TCP or UDP).
Example of layer 7 floods are URL floods. In this attack, a single URL
is continuously attacked from multiple sources.
-
7/22/2019 Ftnt Minixte13 -At Fortiddos
32/119
Agenda
DDoS Overview1
2 Fortinet DDoS3
Labs4
DDoS Solutions
-
7/22/2019 Ftnt Minixte13 -At Fortiddos
33/119
Finally! Lets talk about FortiDDoS!!
-
7/22/2019 Ftnt Minixte13 -At Fortiddos
34/119
Continuous andAdaptive Learning
Fort iDDoS Hands On!Value Proposit ion
-
7/22/2019 Ftnt Minixte13 -At Fortiddos
35/119
Device information
Root access is not available for end-users and partners,SEs can get the password in specific use cases. Password
is stored based by serial number
Limited CLI available through Console or SSH
Default user account/password: fortiddos/rootpasswd
-
7/22/2019 Ftnt Minixte13 -At Fortiddos
36/119
Behavioral Analysis and Rate Based System
No signatures!
Because the FortiDDoS uses behavior and rate-based analysis, it
provides positive security model for protection against attacks the
hackers havent even thought up yet. No administrative intervention isrequired, and the Intrusion Gateway is on guard 24/7, automatically
protecting your network systems and bandwidth.
-
7/22/2019 Ftnt Minixte13 -At Fortiddos
37/119
Management
Data
PCI Bus
Overall System ArchitectureFDD100A
Data
-
7/22/2019 Ftnt Minixte13 -At Fortiddos
38/119
Overall System ArchitectureFortiDDoS-300A
Management
Data
Data
DataData
Data
Data
-
7/22/2019 Ftnt Minixte13 -At Fortiddos
39/119
FortiDDoS-100A
2U Applianceprovides dual link
protection
Specification
LAN 2 x 1G (copper and optical)
WAN 2 x 1G (copper and optical)
FortiASIC 2 x FortiASIC-TP1
RAM 4G
Storage 1TB HDD
Management 1 x RJ45 10/100/1000
Power Single AC
Protection 1Gbps full duplex
FortiDDoS-100A
-
7/22/2019 Ftnt Minixte13 -At Fortiddos
40/119
FortiDDoS-200A
3U Applianceprovides protection for
up to 4 links
Specification
LAN 4 x 1G (copper and optical)
WAN 4 x 1G (copper and optical)
FortiASIC 4 x FortiASIC-TP1
RAM 8G
Storage 2 x 1TB HDD RAID
Management 1 x RJ45 10/100/1000
Power Dual Redundant AC
Protection 2Gbps full duplex
FortiDDoS-200A
-
7/22/2019 Ftnt Minixte13 -At Fortiddos
41/119
FortiDDoS-300A
4U Applianceprovides protection for
up to 6 links
FortiDDoS-300A
Specification
LAN 6 x 1G (copper and optical)
WAN 6 x 1G (copper and optical)
FortiASIC 6 x FortiASIC-TP1
RAM 8G
Storage 2 x 1TB HDD RAID
Management 1 x RJ45 10/100/1000
Power Dual Redundant AC
Protection 3Gbps full duplex
-
7/22/2019 Ftnt Minixte13 -At Fortiddos
42/119
Fort iDDoS = Cont inuo us Protect ion
24x7
365 days
-
7/22/2019 Ftnt Minixte13 -At Fortiddos
43/119
Deployment Scenar ios
-
7/22/2019 Ftnt Minixte13 -At Fortiddos
44/119
Traffic Bypass & FortiBridge
-
7/22/2019 Ftnt Minixte13 -At Fortiddos
45/119
Virtual Partitions (VID) = multiple Protection Profiles
-
7/22/2019 Ftnt Minixte13 -At Fortiddos
46/119
Deployment Scenarios (Contd.)
-
7/22/2019 Ftnt Minixte13 -At Fortiddos
47/119
Internal vs. External Pairing
Network External Pairing
Requires external device is configured with a mirrored port
Load for copying packets is handled by external device
Internal Pairing
No External Configuration required
Load for copying packets is handled by FortiDDoS
Some bandwidth taken out in order to copy packets, 1.4 GBPS channel is new limit
if traffic exceeds about 700mbps(full duplex) it will be dropped
-
7/22/2019 Ftnt Minixte13 -At Fortiddos
48/119
Setting up an Asymmetric Pair
InternetInternet
Network
A i P i
-
7/22/2019 Ftnt Minixte13 -At Fortiddos
49/119
Asymmetric Pair
B li B ildi
-
7/22/2019 Ftnt Minixte13 -At Fortiddos
50/119
Baseline Building
H D It W k?
-
7/22/2019 Ftnt Minixte13 -At Fortiddos
51/119
How Does It Work?
Packets/Source/Second
SYN Packet/Second Connection Establishments/second
SYN Packets/Source/Second
Connections/Second
Concurrent Connections/Source
Concurrent Connections/Destination Packets/Port/Second
Fragmented packets/second
Protocol packets/second
Same URL/second
Same User-Agent/Host/Referer/Cookie/Second
Same User-Agent, Host, Cookie,Referer/Second
Anti-Spoofing checks
Associated URLs heuristics
Too many hoops to cross
before a set of malicious
packets can go through.
Prevent Rate, Policy,
State violations, Stealth,
Slow, Fast Attacks
Quick blocking (< 15s),
unblocking andrevaluation (every
packet) to avoid false
positives
Can reset server
connections uponoverload
FortiASIC-Traffic Processor (TP)
-
7/22/2019 Ftnt Minixte13 -At Fortiddos
52/119
Virtualization
Decision
MultiplexerInbound and
outbound
packetsAllowed
packets
Dropped packets
SNMP Traps/MIBs,
Syslog, Event
Notifications
FortiASIC Traffic Processor (TP)
Control and Statistics
Network, Transport,
Application Layer Rate
Anomaly Prevention
Dark Address, Geo-
location, IP Reputation
Network, Transport,
Application Layer
Access Control Lists
Anti-spoofing
Network, Transport,
Application Layer
Header Anomaly
Prevention
State Anomaly
Prevention
Application Layer
Heuristics
Source Tracking
Event/ Traffic
Statistics, Graphs
Threshold Wizard,
Continuous Adaptive
Threshold Estimation
Policy Configuration,
Archive, Restore
No CPU in the path of the packets
No fast or slow path
No IP/MAC address in the path of the
packets
-
7/22/2019 Ftnt Minixte13 -At Fortiddos
53/119
DDoS Overview1
2 Fortinet DDoS3
Labs4
DDoS Solutions
LAB F tiDD kb k i t ll ti G id
-
7/22/2019 Ftnt Minixte13 -At Fortiddos
54/119
LAB FortiDDoscookbook installation Guide
The objetive of this lab its to be like a cookbook - first FortiDDoSinstallation .
We now not all partners have an ITF FortiDDoS, so we want to
help in a possible first implementation or PoC.
Labs components:
1 x FortiDDoS 200. firmware version: 3.2.1.108
1 x ubuntu web server (target) 1 x backtrack host (hacker)
1 x windows (management host)
L b Di
-
7/22/2019 Ftnt Minixte13 -At Fortiddos
55/119
Lab Diagram
Web Server
10.1.1.0 /24
200.1.1.0/ 24
.30WAN 1
LAN 1
St
-
7/22/2019 Ftnt Minixte13 -At Fortiddos
56/119
Steps:
Required information before start!
IP Management workstation Address: 192.168.1.xx/24 connected in the
management port.
GUI Password Recovery Procedure
-
7/22/2019 Ftnt Minixte13 -At Fortiddos
57/119
GUI - Password Recovery Procedure
Connect to Console and login using default user (fortiddos) and its
correct password (new password if changed from default)
Fortiddos is OS user, new admins are considered GUI users
Issue CLI command: resetguipasswords
Connect ing to the Fort iDDoS GUI Management
-
7/22/2019 Ftnt Minixte13 -At Fortiddos
58/119
Connect ing to the Fort iDDoS GUIManagement
Access
DEFAULTS ONLY via dedicated Management Port
IP:192.168.1.1 (Factory Default)
Access: HTTPS(443), (NO HTTP option)
Username: fddroot
Password: rootpasswd
HTTPS://192.168.1.1
https://192.168.1.1
User: fddrootPassword: rootpasswd
Update the appl iance w ith the last available version in
https://192.168.1.1/https://192.168.1.1/ -
7/22/2019 Ftnt Minixte13 -At Fortiddos
59/119
Update the appl iance w ith the last available version in
the support FTP
Upgrad ing dev ice
-
7/22/2019 Ftnt Minixte13 -At Fortiddos
60/119
Upgrad ing dev ice......
Click on manage-> upgrade system
Search for the .img file downloaded
from the support FTP
Execute a ful l factory r eset in the Appl iance
-
7/22/2019 Ftnt Minixte13 -At Fortiddos
61/119
Execute a ful l factory reset in the Appl iance
Take care with time, this step could take up to 2.5 hours!! This step will not be required if its a new box.
Manage-> Global -> Factory Defaults
Click on manage-> Global -> Factory Reset
Select what do you want to reset. Look
at the warning notification!
Graphical User interface (GUI)
-
7/22/2019 Ftnt Minixte13 -At Fortiddos
62/119
Graphical User interface (GUI)
Configuration- all changes to security settings are there
ManageFirst time setup / IP addresses, time, users etc. ShowAll reports can be found here
ManageEvent information is found here, not used a lot
Current logged user
S/N and license statusTime periodSelect a VID
Less options that in a Fortigate
GUI - CONFIGURE
-
7/22/2019 Ftnt Minixte13 -At Fortiddos
63/119
GUI - CONFIGURE
Configuration menu is split in two sections:
CURRENT VID and GLOBAL
When configuring the VID section make sure to select
the correct VID
Each section is split up in the to different
protection features allow for granular application Layer 3, 4 and 7
Configure -> Current VID
Configure -> global
System date
-
7/22/2019 Ftnt Minixte13 -At Fortiddos
64/119
System date
Manage -> Global -> Device Configuration -> system date
Management IP Address
-
7/22/2019 Ftnt Minixte13 -At Fortiddos
65/119
Management IP Address
Manage -> Global -> Device Configuration -> IP Address
Creat ing ro les: adm inistrator
-
7/22/2019 Ftnt Minixte13 -At Fortiddos
66/119
Creat ing roles: adm inistrator
Manage ->configuration-> roles
Creating roles: Operator
-
7/22/2019 Ftnt Minixte13 -At Fortiddos
67/119
Creating roles: Operator
BEST PRACTICE: create operator users for each VID
administrator
Creating roles: Super user
-
7/22/2019 Ftnt Minixte13 -At Fortiddos
68/119
Creating roles: Super_user
Creating users
-
7/22/2019 Ftnt Minixte13 -At Fortiddos
69/119
Creating users
How it looks create user
Checking physical ports!
-
7/22/2019 Ftnt Minixte13 -At Fortiddos
70/119
Checking physical ports!
In case, the fortiDDoS its a 200 or 300, we must need to set fiber
or copper. By default its copper.
Important: WAN1 and LAN1 must be the same type. (both on fiber
or copper), could not be possible protect the same link with two
types in the FortiDDoS.
Configure -> Interface settings
Always the same
type of interface in
the same pair
Management Path Failure
-
7/22/2019 Ftnt Minixte13 -At Fortiddos
71/119
Management Path Failure
Emergency Bypass
-
7/22/2019 Ftnt Minixte13 -At Fortiddos
72/119
Emergency Bypass
Impo rtant to know !!!
-
7/22/2019 Ftnt Minixte13 -At Fortiddos
73/119
Impo rtant to know !!!
Block dark addresses by default
But what it means dark addresses? : all unreachable network
hosts on the Internet
Configure -> current VID -> dark address
configure -> current VID -> dark address
1 means enable
0 means disable
Check the operation mode.
-
7/22/2019 Ftnt Minixte13 -At Fortiddos
74/119
Check the operation mode.
It must be in detection mode the first time (unchecked on the all
VIDs).
Setup the configuration mode in learning mode at least 2 days, an
ideal period could be 15 days with normal traffic. (the longer the
better!!)
Keep monitoring during this period!
Clicking in the checkbox enable automatically the
prevention mode
My Lists
-
7/22/2019 Ftnt Minixte13 -At Fortiddos
75/119
y
The My Lists feature helps users to define a list of most common ports
(TCP / UDP) or Protocols
Default sets are available
Setting the My Lists based on immediate past traffic is the easiest way
to begin. FortiDDoS provides you with an easy wizard.
Configure > Current VID > My Lists > Auto Configure
Configuring Virtual Identifiers (Protection Profiles)
-
7/22/2019 Ftnt Minixte13 -At Fortiddos
76/119
g g ( )
Enable this option, depending on thethreshold, the FortiDDoS could change
the VID
Defining the subnet per VID
Starting the wizard! Baseline report
-
7/22/2019 Ftnt Minixte13 -At Fortiddos
77/119
g p
You need to have a traffic report in place to start the wizard
Show > Current VID > Reports > Traffic Statistics
The configured lists are utilized in two places in the user interface:
While configuring thresholds
While showing traffic graphs.
Max of 512 objects per list
Show -> current VID -> reports traffic
history
After the baseline report (evaluation
time) the FortiDDoS have parameters
for autoconfigure the thresholds
Adaptive Learning and My Lists
-
7/22/2019 Ftnt Minixte13 -At Fortiddos
78/119
p g y
While FortiDDoS continuous collects traffic statistics for each and
every TCP, UDP port and ICMP type/code, it also limits the number of
ports for the adaptive threshold estimations to 512 each (per each
VID).
The 512 port limit for the periodic estimated thresholds that the
FortiDDoS device computes are restricted to the TCP/UDP ports listed
within the My Lists.
Minimum thresholds for TCP/UDP ports not listed on the My Lists are
not adjusted by the Adaptive Learning Engine.
Blocking by suspicious countries!
-
7/22/2019 Ftnt Minixte13 -At Fortiddos
79/119
g y p
Blocking by geo-location
Configure -> Global -> Access control list -> layer 3 -> Geo-Location
Deny/Allow sources
-
7/22/2019 Ftnt Minixte13 -At Fortiddos
80/119
y
If we know a suspicious IP address, it could be a best practice blocked
since the beginning.
configure-> Access Control list -> layer 3 -
> Deny/allow sources.
If you have IPs blocked in the firewall
because of a strange behavior in the past,
you could put it here!
IP Reputation
-
7/22/2019 Ftnt Minixte13 -At Fortiddos
81/119
p
It could be possible to enable a web reputation service based on the
fortiguard lists.
Configure -> GLOBAL -> Access Control List -> layer 3 -> IP Reputaiton
This service its optional and need to be licensed separated
SKU: FC-10-01H00-140-02-DD
Enable IP reputation for all VIDs
Proxy IPs
-
7/22/2019 Ftnt Minixte13 -At Fortiddos
82/119
Configure -> Access control list -> proxy ID
Allows to detect proxy servers and prevents
access at all blocking that source.
IPv6 Inspection
-
7/22/2019 Ftnt Minixte13 -At Fortiddos
83/119
Configure -> Global -> operating mode
IPv6 ready!
Enables dual stack
Best practices!:Advanced Options.
-
7/22/2019 Ftnt Minixte13 -At Fortiddos
84/119
Configure -> Current VID -> Advanced Options -> Feature Controls ->
Layer 4 -> TCP State Machine
Session feature controls:
Foreign Packet Validation: prevent spoof packet
Aggressive Aging Feature Control
Slow data transfer TCP: helps to prevent slowloris and similar attacks
Age old TCP Connections Inbound: the FortiDDoS will age out the idle
connections protecting memory resources from the internal target.
Configure -> Current VID -> Advanced Options -> Feature
Controls -> Layer 4 -> TCP State Machine
Best Practices: Advanced Options (2)
-
7/22/2019 Ftnt Minixte13 -At Fortiddos
85/119
Configure -> Current VID -> Advanced Options -> Feature Controls ->
Layer 7 -> Sequential Access
relates to the feature which ensures that no single IP address retrieves same URL
back to back without accessing any other URLs. This is a normal scripted access
behavior and shows anomalous behavior. It helps identifying bots.
URLs Per Source: relates to the feature which ensures that no single IP address
retrieves more URLs/observation period than defined under HTTP Advanced
menu.
Mandatory HTTP Headers: relates to the feature which ensures that certain HTTP
Headers are always present in a GET access to the URL. These headers are
further defined in the HTTP Advancedmenu.
Configure -> Current VID -> Advanced Options ->
Feature Controls -> Layer 7 -> Sequential Access
Enabling prevention mode - blocking!
-
7/22/2019 Ftnt Minixte13 -At Fortiddos
86/119
Once the learning period is over and you are satisfiedwith the
threshold settings, set the system to Prevention mode.
main menu, select Configure > Global > Operating Mode.
One click adjustment
-
7/22/2019 Ftnt Minixte13 -At Fortiddos
87/119
FortiDDoS have 4 possible options to adjust and configure all the
parameters.
Factory results
Adjust minimum
Easy setup
System reccomended
Lets undestand the 4 options!
One click adjustment
-
7/22/2019 Ftnt Minixte13 -At Fortiddos
88/119
Configure-> CURRENT VID -> Blocking Threshold -> layer 7 -> One click
Adjustment
Factory defaults: This option allows you to set the thresholds in a VID to
factory defaults which is the line rate value.
Adjust Minimum thresholds: You can adjust the minimum thresholds up or
down by a certain percentage.
Easy Setup:This option is useful when the appliance has to be deployed in
an unknown environment without much time left for training the appliance.
System Recommended Thresholds: This is the most common and
recommended way to set the appliance threshold.
The system recommended values are based on Traffic Statistics Report
generated as part of the base-lining process.
One click adjustment
-
7/22/2019 Ftnt Minixte13 -At Fortiddos
89/119
Mitigating attacks in
just one click
Prevention/Detection Mode
-
7/22/2019 Ftnt Minixte13 -At Fortiddos
90/119
Passive Detection and Active Prevention
-
7/22/2019 Ftnt Minixte13 -At Fortiddos
91/119
Operating Mode
-
7/22/2019 Ftnt Minixte13 -At Fortiddos
92/119
Deploy the unit.
-
7/22/2019 Ftnt Minixte13 -At Fortiddos
93/119
Best practice: Continue running in detection mode while monitoring the
thresholds
If the system selects packets to drop that are legitimate, adjust the
thresholds/check ACLs and feature controls. If the system reports passing
packets that should have been dropped, lower the thresholds or check
ACLs and feature controls.
Thats it with the configuration!
-
7/22/2019 Ftnt Minixte13 -At Fortiddos
94/119
And now lets the FortiDDoS learning and us we are going to know
more about forti-best practices!
Baseline Monitor Period
-
7/22/2019 Ftnt Minixte13 -At Fortiddos
95/119
Learning should be done on typical traffic for at least one week (7
Days).
Note:The FortiDDoS never stops learning traffic patterns and continuously
adjusts traffic profiles using an Adaptive Learning Engine. The initial
learning period should be attack-free, and should be long enough to be arepresentative period of normal network activity and should be long enough
to encompass both seasons of high and low activity. Seven days will often
provide a reasonable profile of normal traffic.
Adapt ive Threshold Est imation Set it and Forget It
-
7/22/2019 Ftnt Minixte13 -At Fortiddos
96/119
Set it and Forget It
Port 80 Traffic in Mbps
0
100
200
300
400
500
600
Jan-03
Jul-0
3
Jan-04
Jul-0
4
Jan-05
Jul-0
5
Jan-06
Jul-0
6
Jan-07
Jul-0
7
Jan-08
Jul-0
8
Jan-09
Jul-0
9
Jan-10
Jul-1
0
Jan-11
Jul-1
1
Month
Traffic Observation
Forecast
Threshold
Fixed Minimum Threshold
Adaptive Threshold
Uppermost Threshold
Fixed Threshold
Typical Attack
Not an attack
due to
gradual
increase
In traffic due
to a trend!!
24x7365
days
IntruGuard Devices confidential and proprietary
Adaptive Thresholds
-
7/22/2019 Ftnt Minixte13 -At Fortiddos
97/119
Adapative Thresholdsfine tunes/automatically adjusts configured
minimum thresholds over time by predicting traffic flows based oncurrent and past statistics
Adaptive Threshold Limitresticts the theshold adjustments to a set
maximum percent (default 150%) above the set mininum threshold
value
.
Where should the Threshold be to detect floods?
-
7/22/2019 Ftnt Minixte13 -At Fortiddos
98/119
Port 80 Traffic in Mbps
0
50
100
150
200
250
300
350
400
450
Apr-01 Sep-02 Jan-04 May-05 Oct-06 Feb-08 Jul-09 Nov-10 Apr-12 Aug-13
Month
Mbps
Here
Here
Or Here?
Flood Threshold Detection Needs
-
7/22/2019 Ftnt Minixte13 -At Fortiddos
99/119
Determine a trend over time
E.g. gradual increase in Web traffic over a two month period due to increasein subscribers
Determine a seasonal trend or cycle E.g. web traffic increases in the morning hours, peaks in the afternoon and
declines late at night
Determine seasonal variability E.g. web traffic fluctuates more during peak hours but are hardly vary at all
during night
Determine aberrant behavior E.g. web traffic is too deviant from its normal and forecasted traffic
Types of Forecasting Models
-
7/22/2019 Ftnt Minixte13 -At Fortiddos
100/119
Types and Methods of Forecasting Native Methods eye-balling the numbers;
Based on experience, judgmentQualitative
Formal Methods --- systematicallyreduce forecasting errors;
time series models (e.g. exponentialsmoothing);
causal models (e.g. regression).
Quantitativebased on data, statistics.
Focus here on Time Series Models
Assumptions of Time Series Models There is information about the past;
The pattern of the past will continueinto the future.
Port 80 Traffic in Mbps
0
50
100
150
200
250
300
350
400
450
Apr-01 Sep-02 Jan-04 May-05 Oct-06 Feb-08 Jul-09 Nov-10 Apr-12 Aug-13
Month
Mbps
Complicating Factors with Simple Smoothing
-
7/22/2019 Ftnt Minixte13 -At Fortiddos
101/119
Simple Exponential Smoothing does not allow you to
predict the future accurately.
Must be adapted for data series which exhibit a definite trend
Must be further adapted for data series which exhibit seasonalpatterns
SYN FLOOD PREVENTION - 1
-
7/22/2019 Ftnt Minixte13 -At Fortiddos
102/119
SYN flood thresholds are bi-directional and on a per VID basis as well
as per destination (corresponding to the most active destination). Youcan control these individually.
FortiDDoS store non-spoofed IP addresses that have done a three-
way handshake successfully in a large table called Legitimate IP (LIP)Address table. This table retires entries every 5 minutes. Therefore
this table has IP addresses which have recently connected
successfully. Under SYN flood situation, i.e. when the SYN flood
threshold is crossed, the LIP table is used to validate new connections.If the new connection request is from an address in this table it is
allowed otherwise it is denied.
Foreign Packet Validation
-
7/22/2019 Ftnt Minixte13 -At Fortiddos
103/119
When enabled TCP state machine will ensure that foreign TCP packets
without an existing TCP connection entry will be dropped (disabled bydefault to prevent issues when box is first deployed (wait for an hour
after deployment before enabling this).
Some reasons you will have high numbers:
Detection Mode: Box thinks it dropped packets and therefore removed session Time Out Differences between Servers and IG appliance: TCP time out on DDOS is
mostly lower then configured on servers. Most of the time the dropped packets are
just reset, so can be ignored
HTTP Browser Behavior: people surfing from one site to another doesnt close the
session to the server (only after closing browser)
Because number is high, source IP info is not stored!
Analyzing Attacks
-
7/22/2019 Ftnt Minixte13 -At Fortiddos
104/119
The first indication of that an attack has been detected will be the
event monitor. If you email event notifications are enabled, you canreceive a summary of events to on your PC, workstation, PDA or even
your cell phone. The event notice summarizes the type of attack and
the number of dropped packets to indication of the attack size/scope.
Attacks lasting for 5 minutes or morewill be represented as spikesin a graphical reports within the GUI.
Examples:
Show > Aggregate Dropslists packets dropped at each layer allowing you to
further refine your search to Layer 3, Layer 4 or Layer 7. Show > Reports > All lists a dashboard like summary of all Tops Attack Types
Aggregate Drop Traffic
-
7/22/2019 Ftnt Minixte13 -At Fortiddos
105/119
This graph showsthe aggregate
dropped traffic and
gives you visibility
into excess traffic
thats getting
filtered by the
appliance.
Packets are dropped due to multiple reasons and are shown in different colors.
These are drilled down further in subsequent graphs on subsequent pages.Summary Over 1 month
Packets Dropped/3 HoursLegend TypeMaximum Minimum Average
Total PacketsDropped
Layer 2 0 0 0 0 Layer 3 71,796,072 0 21,262,421 5,273,080,458 Layer 4 375,005,802 300 5,899,631 1,463,108,503 Layer 7 303 0 1 304
Packets Dropped at Layer 3
-
7/22/2019 Ftnt Minixte13 -At Fortiddos
106/119
This graphshows the
dropped traffic
due to certain
Layer 3reasons which
are shown in
the table
below.
Summary Over 1 month
Packets Dropped/3 HoursLegend Type
Maximum Minimum Average
Total Packets
Dropped
Protocols 8,225,652 0 637,875 158,193,111 TOS 0 0 0 0 IPv4 Options 0 0 0 0 Fragmented Packets 1,157 0 7 1,873 L3 Anomalies 11,870,534 0 79,834 19,798,847 Source Flood 57,013,194 0 20,532,304 5,092,011,434 Misc. Source Flood 289,674 0 1,168 289,675 Destination Flood 2,441,260 0 11,231 2,785,518
Misc. Destination
Flood0 0 0 0
Dark Address Scan 0 0 0 0 Network Scan 0 0 0 0
Packets Dropped at Layer 4
-
7/22/2019 Ftnt Minixte13 -At Fortiddos
107/119
Summary Over 1 month
Packets Dropped/3 HoursLegend Type
Maximum Minimum Average
Total Packets
Dropped
TCP Options 0 0 0 0 SYN Packets 278,119,806 0 5,034,862 1,248,645,939 L4 Anomalies 12,549,983 300 54,866 13,606,809 TCP Ports 7,194,921 0 165,534 41,052,592 UDP Ports 27,297 0 908 225,429 ICMP Types/Codes 0 0 0 0 Port Scan 0 0 0 0
Misc. Drops for Port
Scan0 0 0 0
Packets Per Connection 0 0 0 0 Misc. Connection Flood 71,585 0 6,992 1,734,081 Zombie Flood 13,368,886 0 93,770 23,254,968 SYN Packets Per Source 36,527,319 0 234,548 58,168,070
Excessive Concurrent
Connections Per Source109 0 0 110
Excessive Concurrent
Connections Per
Destination
0 0 0 0
TCP Packets Per
Destination0 0 0 0
This graph shows thedropped traffic due to
certain Layer 4 reasons
which are shown in the
table below.
More than 1 billion
packets were dropped
due to SYN flood duringthis period.
And over 58 million
packets dropped due to
few specific IPs sending
too many SYN
packets/second.
Packets Dropped at Layer 7
-
7/22/2019 Ftnt Minixte13 -At Fortiddos
108/119
Summary Over 1 month
Packets Dropped/3 HoursLegend Type
Maximum Minimum Average
Total Packets
Dropped
Opcode Flood 303 0 1 304
HTTP Anomalies 0 0 0 0 URL Flood 0 0 0 0
This graph showsthe dropped traffic
due to certain Layer
7 reasons which
are shown in the
table below.
The appliances
monitor HTTP
opcodes, URLs and
anomalies and can
pinpoint the
excesses in any
one of the
dimensions.
Top Attacks and Top Attacker Repo rts
-
7/22/2019 Ftnt Minixte13 -At Fortiddos
109/119
FortiDDoS
appliances give you
a visibility into the
Top Attacks, Top
Attackers, Top
AttackedDestinations, etc.
for the last 1 hour,
1 day, 1 week, 1
month, 1 Year.
These IPs are
obfuscated.
Overall View Over a Month
-
7/22/2019 Ftnt Minixte13 -At Fortiddos
110/119
These two graphs heredepict the daily traffic
over a months period in
terms of packet rate and
Mbps respectively. The
upper half is outbound
traffic and the lower half
(in negative) is the
inbound traffic. You can
see two peaks which
correspond to two large
inbound attacks.
The purpose of the appliance is to maintain the normal traffic and only pass whats legitimate.
Thats what it is doing here by dropping the excess packets (shown as white ear under the
maroon lines). Whats being allowed is the blue area.
View of another link
-
7/22/2019 Ftnt Minixte13 -At Fortiddos
111/119
This graph showsthe second link on
the same device.
This link has larger
and continuous
attacks over the
months period.As you can see the
appliance maintains
the normal behavior
and drops
excessive packets.
This maroon line shows whats incoming and
the blue and green lines show what gets out
of the appliance after DDoS mitigation based
on behavioral analysis. The white envelope is
the attack thats getting dropped.
Count of Unique Sources
-
7/22/2019 Ftnt Minixte13 -At Fortiddos
112/119
This graph gives youa visibility into count
of unique sources
coming to your
network.
As you can see here,
there is a large peak
during Week 21 which
corresponds to an
attack. The number of
unique sources
almost reached 1
million. These couldbe spoofed IP
addresses too.
Number of Established TCP Connections
-
7/22/2019 Ftnt Minixte13 -At Fortiddos
113/119
This graph showsthe number of
established TCP
connections. Since
there is no obvious
peak here, and the
previous graph ofcount of unique
sources had a large
peak, it means the
attackers were
primarily spoofed
IPs.
Application Targeted DDoS
-
7/22/2019 Ftnt Minixte13 -At Fortiddos
114/119
This graph showsthe number of
established TCP
connections that
any single source
made. The
appliance monitorsup to 1 million
sources. These are
clipped to a certain
threshold based on
past behavior.
Lets play!
-
7/22/2019 Ftnt Minixte13 -At Fortiddos
115/119
Hping commands!
UDP Flood (bandwith)
hping3 --flood --udp -p 80 -d 14 200. 200.1.1.2
SYN Flood (TCP 80)
hping3 --flood -S -p 80 200.1.1.2
More commands
hping3qnSw 64p 80 --flood (--fast orfaster) -rand-source
Useful link! http://wiki.hping.org/94
Sending the attack
http://wiki.hping.org/94http://wiki.hping.org/94 -
7/22/2019 Ftnt Minixte13 -At Fortiddos
116/119
Another attack
-
7/22/2019 Ftnt Minixte13 -At Fortiddos
117/119
-
7/22/2019 Ftnt Minixte13 -At Fortiddos
118/119
-
7/22/2019 Ftnt Minixte13 -At Fortiddos
119/119
THANKS!!!!!