Справочник Пользователя для Fortinet IPS
FortiGate IPS User Guide Version 3.0 MR7
48
01-30007-0080-20080916
Understanding the anomalies
DoS sensors
Protected addresses:
Each entry in the protected address table includes a source and destination IP
address as well as a destination port. The DoS sensor will be applied to traffic
matching the three attributes in any table entry.
address as well as a destination port. The DoS sensor will be applied to traffic
matching the three attributes in any table entry.
Understanding the anomalies
Each DoS sensor offers four configurable statistical anomaly types for each of the
TCP, UDP, and ICMP protocols.
TCP, UDP, and ICMP protocols.
Table 10: The four statistical anomaly types.
For each of the TCP, UDP, and ICMP protocols, DoS sensors offer four statistical
anomaly types. The result is twelve configurable anomalies.
anomaly types. The result is twelve configurable anomalies.
Figure 14: The twelve individually configurable anomalies
Note: A new DoS sensor has no protected address table entries. If no addresses are
entered, the DoS sensor cannot match any traffic and will not function.
entered, the DoS sensor cannot match any traffic and will not function.
Destination
The IP address of the traffic destination. 0.0.0.0/0 matches all addresses. If
the FortiGate unit is running in transparent mode, 0.0.0.0/0 also includes
the management IP address.
Destination
Port
Port
The destination port of the traffic. 0 matches any port.
Source
The IP address of the traffic source. 0.0.0.0/0 matches all addresses.
Add
After entering the required destination address, destination port, and
source address, select Add to add protected address to the Protected
Addresses list. The DoS sensor will be invoked only on traffic matching all
three of the entered values. If no addresses appear in the list, the sensor
will not be applied to any traffic.
Flooding
If the number of sessions targeting a single destination in one second is
over a specified threshold, the destination is experiencing flooding.
Scan
If the number of sessions from a single source in one second is over a
specified threshold, the source is scanning.
Source session
limit
limit
If the number of concurrent sessions from a single source is over a
specified threshold, the source session limit is reached.
Destination
session limit
session limit
If the number of concurrent sessions to a single destination is over a
specified threshold, the destination session limit is reached.
Anomaly
Description
tcp_syn_flood
If the SYN packet rate, including retransmission, to one destination
IP address exceeds the configured threshold value, the action is
executed. The threshold is expressed in packets per second.
tcp_port_scan
If the SYN packets rate, including retransmission, from one source
IP address exceeds the configured threshold value, the action is
executed. The threshold is expressed in packets per second.
tcp_src_session
If the number of concurrent TCP connections from one source IP
address exceeds the configured threshold value, the action is
executed.