Fortinet 32 FortiWeb 5.0 Patch 6 Administration Guide
DoS attacks
A denial of service (DoS) attack or distributed denial-of-service attack (DDoS attack) is an
attempt to overwhelm a web server/site, making its resources unavailable to its intended users.
DoS assaults involve opening vast numbers of sessions/connections at various OSI layers and
keeping them open as long as possible to overwhelm a server by consuming its available
sockets. Most DoS attacks use automated tools (not browsers) on one or more hosts to
generate the harmful flood of requests to a web server.
A DoS assault on its own is not true penetration. It is designed to silence its target, not for theft.
It is censorship, not robbery. In any event, a successful DoS attack can be costly to a company
in lost sales and a tarnished reputation. DoS can also be used as a diversion tactic while a true
exploit is being perpetrated.
The advanced DoS prevention features of FortiWeb are designed to prevent DoS techniques,
such as those examples listed in Tab le 3, from succeeding. For best results, consider creating a
DoS protection policy that includes all of FortiWeb’s DoS defense mechanisms, and block traffic
that appears to originate from another country, but could actually be anonymized by VPN or Tor.
SQL
injection
The web application inadvertently
accepts SQL queries as input.
These are executed directly
against the database for
unauthorized disclosure and
modification of data.
Rely on key word
searches, restrictive
context-sensitive
filtering and data
sanitization techniques.
Parameter
Validation
Hidden Fields
Protection
SQL Injection
Malformed
XML
To exploit XML parser or data
modeling bugs on the server, the
client sends incorrectly formed
tags and attributes.
Validate XML formatting
for closed tags and other
basic language
requirements.
Illegal XML Format
Caution: Unlike
XML protection
profiles in previous
versions of
FortiWeb, Illegal
XML Format does
not check for
conformity with the
object model or
recursive
payloads.
Tabl e 2 : Web-related threats
Attack
Technique
Description Protection FortiWeb Solution