DoS sensors

Understanding the anomalies

Anomaly

Description

 

 

tcp_dst_session

If the number of concurrent TCP connections to one destination IP

 

address exceeds the configured threshold value, the action is

 

executed.

 

 

udp_flood

If the UDP traffic to one destination IP address exceeds the

 

configured threshold value, the action is executed. The threshold is

 

expressed in packets per second.

 

 

udp_scan

If the number of UDP sessions originating from one source IP

 

address exceeds the configured threshold value, the action is

 

executed. The threshold is expressed in packets per second.

 

 

udp_src_session

If the number of concurrent UDP connections from one source IP

 

address exceeds the configured threshold value, the action is

 

executed.

 

 

udp_dst_session

If the number of concurrent UDP connections to one destination IP

 

address exceeds the configured threshold value, the action is

 

executed.

 

 

icmp_flood

If the number of ICMP packets sent to one destination IP address

 

exceeds the configured threshold value, the action is executed.

 

The threshold is expressed in packets per second.

 

 

icmp_sweep

If the number of ICMP packets originating from one source IP

 

address exceeds the configured threshold value, the action is

 

executed. The threshold is expressed in packets per second.

 

 

icmp_src_session

If the number of concurrent ICMP connections from one source IP

 

address exceeds the configured threshold value, the action is

 

executed.

 

 

icmp_dst_session

If the number of concurrent ICMP connections to one destination

 

IP address exceeds the configured threshold value, the action is

 

executed.

 

 

FortiGate IPS User Guide Version 3.0 MR7

 

01-30007-0080-20080916

49

Page 49
Image 49
Fortinet IPS Anomaly Description Tcpdstsession, Udpflood, Udpscan, Udpsrcsession, Udpdstsession, Icmpflood, Icmpsweep