Is there anyone have experienced to block dos attack and trace back the source IP.
Seem our PC is infected by somekind of MalWare. Fortigate traffic history widget shows us a burst traffic coming from our LAN to WAN1 and WAN2. The traffic burst 10Gbps in sort of time, randomly. (pls see screenshot attached)
I’m trying to block this traffic using Fortigate.
I'm aware about fortigate appControl, AV, and DOS capability.
AppControl => I'm blocking Bot and proxy category.
AV => I'm blocking connection to Botnet and C&C server.
DOS => I'm blocking UDP and TCP flood. Both threshold are 500.
With all that setting, the problem still occurs.
I'm not sure what kind of MalWare that infected my network.
I really appreciate if someone would share their experience and help me out with this issue.
Yes unfortunately I have a lot of DDOS handling experience. I would first recommend using something like prtg or scrutinizer setup for Sflow from the fortinet firewall. Setup the Sflow on the interface closed to what you want to track. for Source you would setup sflow on the wanX interface (if the traffic is truly sourced by someone on the internet) or via the portX interface is you think you have Malware in the local network that may be initiating this problem. In the second example its not really a DOS attack as it is just botnet attempts and standard noisy malware! I would recommend getting this setup then for example with prtg you can see the top talkers in 15minute segements and top destinations and top connections. This will give you the true sources of you network pain! I have this setup in multiple data centers and not only on the fortinet firewalls but anywhere there is an aggregate connection, like the distrubution layer on most netorks or the edge network connection where it comes into the core. Most modern routers and switches support either netflow or sflow. In some cases you can just use a packet capture sensor as well but its much more load on the server calculating the traffic into a graph.
Once the source of the issue is found, I have found that you can either null route that source ip to null on your routing gear or on the firewall. I typically do this outside the firewall so it doesnt even get to the firewall. You can also call your ISP and sometimes they can block that IP for you. I have even done some bgp routing with tunnels to redirect the traffic if you know the destination that they are trying to DOS and if its one that you can live without as you can usually also black-hole the destination if you have that agreement with you ISP.
Hope this info helps,
Thank you for your suggestion. I really appreciate it.
This is a good article.