Fortinet Document Library

Version:

Version:

Version:

Version:

Version:

Version:


Table of Contents

CLI Reference

config security dos tcp-slowdata-attack-protection

A Slow Data attack sends legitimate application layer requests but reads responses very slowly. With that, it may attempt to exhaust the target’ s connection pool. Slow reading advertises a very small number for the TCP Receive Window size and at the same time by emptying the client’s TCP receive buffers slowly. That ensures a very low data flow rate.

The purpose of the attack is to consume the system resources (memory, CPU time) slowly. We can disable the connection when it fails to send probe packages within the zero-window timer.

Syntax

config security dos tcp-slowdata-attack-protection

edit <name>

set probe-interval-time <integer>

set probe-count <integer>

set action [ pass | deny | block-period]

set block-period <integer>

set severity [ high | medium | low ]

set log [enable | disable]

next

end

CLI specification

CLI Parameter

Help message

Type

Scope

Default

Must

probe-interval-time

Probe internal timer for zero-window probe

char

0-256

30

No

probe-count

Max count for zero-window probe

char

0-256

5

No

action

Action taken when probe count exceeds limit and still no >0 windows packet received

choice

Pass

deny block-period

deny

No

block-period

Number of seconds to block the connection action if you choose block-period as action

integer

1-3600

60

No

severity

Severity of the Log

choice

info low medium high

high

No

log

Record log message

choice

enable

disable

disable

No

Function description

CLI Parameter

Description

probe-interval-time

Set probe interval time for the TCP zero window timer. After receiving a zero window packet, FortiADC will probe the peer side periodically until it receives a >0 window, or probe count exceeds the max probe-count.

probe-count

Max consecutive zero window probe count

action

Action taken after exceeding max probe count

Pass –if the probe count exceeds probe-count, FortiADC stops the probe and passes all the packets in both direction.

Deny – deny the connection with RST

Block-period – deny the connection, and block any new connection from the peer side for a period of time

block-period

Block the new connection from peer side for a period. During this period, the new connection will abort.

severity

Log severity level

log

Enable or disable log

Example

configure security dos tcp-slowdata-attack-protection

edit zero-window-limit

set probe-interval-time 30

set probe-count 5

set action block-period

set block-period 20

set log enable

set severity medium

next

end

config security dos tcp-slowdata-attack-protection

A Slow Data attack sends legitimate application layer requests but reads responses very slowly. With that, it may attempt to exhaust the target’ s connection pool. Slow reading advertises a very small number for the TCP Receive Window size and at the same time by emptying the client’s TCP receive buffers slowly. That ensures a very low data flow rate.

The purpose of the attack is to consume the system resources (memory, CPU time) slowly. We can disable the connection when it fails to send probe packages within the zero-window timer.

Syntax

config security dos tcp-slowdata-attack-protection

edit <name>

set probe-interval-time <integer>

set probe-count <integer>

set action [ pass | deny | block-period]

set block-period <integer>

set severity [ high | medium | low ]

set log [enable | disable]

next

end

CLI specification

CLI Parameter

Help message

Type

Scope

Default

Must

probe-interval-time

Probe internal timer for zero-window probe

char

0-256

30

No

probe-count

Max count for zero-window probe

char

0-256

5

No

action

Action taken when probe count exceeds limit and still no >0 windows packet received

choice

Pass

deny block-period

deny

No

block-period

Number of seconds to block the connection action if you choose block-period as action

integer

1-3600

60

No

severity

Severity of the Log

choice

info low medium high

high

No

log

Record log message

choice

enable

disable

disable

No

Function description

CLI Parameter

Description

probe-interval-time

Set probe interval time for the TCP zero window timer. After receiving a zero window packet, FortiADC will probe the peer side periodically until it receives a >0 window, or probe count exceeds the max probe-count.

probe-count

Max consecutive zero window probe count

action

Action taken after exceeding max probe count

Pass –if the probe count exceeds probe-count, FortiADC stops the probe and passes all the packets in both direction.

Deny – deny the connection with RST

Block-period – deny the connection, and block any new connection from the peer side for a period of time

block-period

Block the new connection from peer side for a period. During this period, the new connection will abort.

severity

Log severity level

log

Enable or disable log

Example

configure security dos tcp-slowdata-attack-protection

edit zero-window-limit

set probe-interval-time 30

set probe-count 5

set action block-period

set block-period 20

set log enable

set severity medium

next

end