Fortinet black logo

Handbook

Configuring a TCP slow data flood protection policy

Configuring a TCP slow data flood protection policy

A Slow Data attack sends legitimate application layer requests but reads responses very slowly. With that, it may attempt to exhaust the target’s connection pool. Slow reading advertises a very small number for the TCP Receive Window size and at the same time empties the client’s TCP receive buffers slowly. This ensures a very low data flow rate.

The attack purpose is to consume the system resources (memory, CPU time) slowly. We can disable the connection when sending many probe packages fails in the zero-window timer.

Before you begin:

  • You must have Read-Write permission for Security settings.

After you have configured HTTP Request Flood policies, you can select them in DoS Protection Profile.

To configure a HTTP Request Flood policy:

  1. Go to DoS Protection > Networking> HTTP Request Flood.
  2. Click Create New to display the configuration editor.
  3. Complete the configuration.

    Name

    Configuration name. Valid characters are A-Z, a-z, 0-9, _, and -. No spaces.

    Status

    Enable | Disable. If Enable, this policy will be activated, otherwise is inactive.

    Probe Interval

    Set probe interval time for the TCP zero window timer. After receiving a zero window packet, FortiADC will probe the peer side periodically until it returns with >0 window, or when probe count exceeds the max probe-count.

    Probe Count

    Max consecutive zero window probe count.

    Action

    Action after exceed max probe count.

    Pass—if the probe count exceeds probe-count, stop the probe and pass all the packets in both directions.

    Deny—deny the connection with RST.

    Block-period—deny the connection, and block any new connection from the peer side for a period of time.

    Severity

    High—Log as high severity events.

    Medium—Log as a medium severity events.

    Low—Log as low severity events.

    The default value is High.

    Log

    Enable or disable log

  4. Save the configuration.

Configuring a TCP slow data flood protection policy

A Slow Data attack sends legitimate application layer requests but reads responses very slowly. With that, it may attempt to exhaust the target’s connection pool. Slow reading advertises a very small number for the TCP Receive Window size and at the same time empties the client’s TCP receive buffers slowly. This ensures a very low data flow rate.

The attack purpose is to consume the system resources (memory, CPU time) slowly. We can disable the connection when sending many probe packages fails in the zero-window timer.

Before you begin:

  • You must have Read-Write permission for Security settings.

After you have configured HTTP Request Flood policies, you can select them in DoS Protection Profile.

To configure a HTTP Request Flood policy:

  1. Go to DoS Protection > Networking> HTTP Request Flood.
  2. Click Create New to display the configuration editor.
  3. Complete the configuration.

    Name

    Configuration name. Valid characters are A-Z, a-z, 0-9, _, and -. No spaces.

    Status

    Enable | Disable. If Enable, this policy will be activated, otherwise is inactive.

    Probe Interval

    Set probe interval time for the TCP zero window timer. After receiving a zero window packet, FortiADC will probe the peer side periodically until it returns with >0 window, or when probe count exceeds the max probe-count.

    Probe Count

    Max consecutive zero window probe count.

    Action

    Action after exceed max probe count.

    Pass—if the probe count exceeds probe-count, stop the probe and pass all the packets in both directions.

    Deny—deny the connection with RST.

    Block-period—deny the connection, and block any new connection from the peer side for a period of time.

    Severity

    High—Log as high severity events.

    Medium—Log as a medium severity events.

    Low—Log as low severity events.

    The default value is High.

    Log

    Enable or disable log

  4. Save the configuration.