Fortinet IPS manual Understanding the anomalies

Page 48

Understanding the anomalies

DoS sensors

Protected addresses:

Each entry in the protected address table includes a source and destination IP address as well as a destination port. The DoS sensor will be applied to traffic matching the three attributes in any table entry.

Note: A new DoS sensor has no protected address table entries. If no addresses are entered, the DoS sensor cannot match any traffic and will not function.

Destination

The IP address of the traffic destination. 0.0.0.0/0 matches all addresses. If

 

the FortiGate unit is running in transparent mode, 0.0.0.0/0 also includes

 

the management IP address.

Destination

The destination port of the traffic. 0 matches any port.

Port

 

Source

The IP address of the traffic source. 0.0.0.0/0 matches all addresses.

Add

After entering the required destination address, destination port, and

 

source address, select Add to add protected address to the Protected

 

Addresses list. The DoS sensor will be invoked only on traffic matching all

 

three of the entered values. If no addresses appear in the list, the sensor

 

will not be applied to any traffic.

Understanding the anomalies

Each DoS sensor offers four configurable statistical anomaly types for each of the

TCP, UDP, and ICMP protocols.

Table 10: The four statistical anomaly types.

Flooding

Scan

Source session limit

Destination session limit

If the number of sessions targeting a single destination in one second is over a specified threshold, the destination is experiencing flooding.

If the number of sessions from a single source in one second is over a specified threshold, the source is scanning.

If the number of concurrent sessions from a single source is over a specified threshold, the source session limit is reached.

If the number of concurrent sessions to a single destination is over a specified threshold, the destination session limit is reached.

For each of the TCP, UDP, and ICMP protocols, DoS sensors offer four statistical anomaly types. The result is twelve configurable anomalies.

Figure 14: The twelve individually configurable anomalies

Anomaly

Description

 

 

tcp_syn_flood

If the SYN packet rate, including retransmission, to one destination

 

IP address exceeds the configured threshold value, the action is

 

executed. The threshold is expressed in packets per second.

 

 

tcp_port_scan

If the SYN packets rate, including retransmission, from one source

 

IP address exceeds the configured threshold value, the action is

 

executed. The threshold is expressed in packets per second.

 

 

tcp_src_session

If the number of concurrent TCP connections from one source IP

 

address exceeds the configured threshold value, the action is

 

executed.

 

 

FortiGate IPS User Guide Version 3.0 MR7

48

01-30007-0080-20080916

Page 47 Page 49
Image 48
Page 47 Page 49
Contents E R G U I D E Trademarks Contents Protocol decoders IPS sensorsDoS sensors SYN flood attacksIntroduction FortiGate IPSAbout this document Fortinet documentationDocument conventions Typographic conventionsFortiGate Pptp VPN User Guide Customer service and technical support Fortinet Knowledge CenterComments on Fortinet technical documentation IPS overview and general configuration IPS settings and controlsThis section contains the following topics When to use IPS Default signature and anomaly settingsDefault fail open setting Config ips global Set fail-open enable disable endSetting the buffer size Configuring logging and alert emailMonitoring the network and dealing with attacks Controlling sessionsAttack log messages Signature Anomaly FortiGuard CenterUsing IPS sensors in a protection profile Creating a protection profile that uses IPS sensorsAdding protection profiles to firewall policies Select Create NewAdding protection profiles to user groups Using IPS sensors in a protection profile Predefined signatures IPS predefined signaturesViewing the predefined signature list Settings EnableColumn Clear All FiltersCreate a sensor and add IPS filters to it Viewing the predefined signature list Custom signatures IPS custom signaturesViewing the custom signature list Custom signature configuration Adding custom signatures using the web-based managerAdding custom signatures using the CLI Command syntax patternCreating custom signatures Custom signature fieldsShows the valid characters for custom signature fields Custom signature syntax AttackidName BufferOverflow SrcportContent keywords Keyword and value Description Deprecated, see pattern and context keywords Pattern GET Context uriPattern yahoo.com Context hostPcre Regex/mdelimRegexdelimismxAEGRU Uri !uristrProtocol tcp IP header keywords Keyword and Value DescriptionTCP header keywords Keyword and Value Description Tcpflags AP Tcpflags S,12UDP header keywords Keyword and Value Description Icmp keywords Keyword and Value UsageOther keywords Keyword and Value Description Example 1 signature to block access to example.com Example custom signaturesSbid --name Block.example.com Sbid --name Block.example.com Example 2 signature to block the Smtp ‘vrfy’ command Sbid --name Block.SMTP.VRFY.CMDSbid --name Block.SMTP.VRFY.CMD --pattern vrfy Creating custom signatures Protocol decoders Protocol decodersUpgrading the IPS protocol decoder list Viewing the protocol decoder list Protocol decoder list Protocols Protocol decoder names PortAlldefault AlldefaultpassIPS sensors Viewing the IPS sensor listConfiguring IPS sensors Adding an IPS sensorProtectclient ProtectemailserverIPS sensor attributes IPS sensor filtersConfiguring filters ResetIPS sensor overrides Delete and Edit Delete or edit the filter IconsConfiguring pre-defined and custom overrides ApplicationExempt IP SourceDoS sensors Configuring DoS sensors Viewing the DoS sensor listSequence in which the sensors examine network traffic Appears, and select OKAnomaly configuration DoS sensor attributesName Enter or change the DoS sensor name Comments Will appear in the DoS sensor listUnderstanding the anomalies Anomaly Description Tcpdstsession UdpfloodUdpscan UdpsrcsessionUnderstanding the anomalies What is a SYN flood attack? SYN flood attacksHow SYN floods work What is SYN threshold? What is SYN proxy?FortiGate IPS Response to SYN flood attacks How IPS works to prevent SYN floodsIPS operation before synflood threshold is reached Configuring SYN flood protection Suggested settings for different network conditionsConfigure the options for tcpsynflood Select OK What is an Icmp sweep? Icmp sweep attacksHow Icmp sweep attacks work FortiGate IPS response to Icmp sweep attacksPredefined Icmp signatures Icmp sweep anomalies Configuring Icmp sweep protection Index FortiGate Version 3.0 MR7 IPS User GuideTechnical support
Top Page Image Contents