Fortinet 5.0 Patch 6 Configuring network-layer DoS protection

Fortinet 351 FortiWeb 5.0 Patch 6 Administration Guide

4. Click OK.

5. Group the rule in a DoS protection policy (see “Grouping DoS protection rules” on

page 355).

6. Select the DoS protection policy in a protection profile (see “Configuring a protection profile

for inline topologies” on page 468).

7. Enable the Session Management option in the protection profile.

Attack log messages contain DoS Attack: HTTP Flood Prevention Violation

when this feature detects an HTTP flood.

Example: HTTP request flood prevention

Assuming you set 10 as the limit, here are three scenarios:

• A client opens a single TCP connection with 8 HTTP GET requests. As long as they all have

the session cookie set by the FortiWeb appliance, it allows the requests.

• A client opens a single TCP connection with 8 HTTP GET requests. One request does not

have the session cookie. The FortiWeb appliance drops the TCP connection (dropping all

sessions).

• Two clients open 2 TCP connections. Each has 6 HTTP requests with the same session

cookie. The FortiWeb appliance blocks the last two requests because there are 12, which

exceeds the 10 limit.

Configuring network-layer DoS protection

The DoS Protection > Network submenu enables you to configure DoS protection at the

network layer.

You can limit the number of fully-formed TCP connections per source IP address. This

effectively prevents TCP flood-style denial-of-service (DoS) attacks.

TCP flood attacks exploit the fact that servers must consume memory to maintain the state of

the open connection until either the timeout, or the client or server closes the connection. This

consumes some memory even if the client is not currently sending any HTTP requests.

Normally, a legitimate client will form a single TCP connection, through which they may make

several HTTP requests. As a result, each client consumes a negligible amount of memory to

track the state of the TCP connection. However, an attacker will open many connections with

Severity When rule violations are recorded in the attack log, each log

message contains a Severity Level (severity_level) field.

Select which severity level the FortiWeb appliance will use when it

logs a violation of the rule:

•Low

•Medium

•High

The default value is High.

Trigger Action Select which trigger, if any, that the FortiWeb appliance will use

when it logs and/or sends an alert email about a violation of the

rule. See “Configuring triggers” on page 557.

Setting name Description