Hot!can I ban an IP that triggers a Dos sensor?

Author
RH
Silver Member
  • Total Posts : 101
  • Scores: 2
  • Reward points: 0
  • Joined: 2011/07/28 14:40:07
  • Location: Sacramento, CA
  • Status: offline
2013/04/10 15:50:49 (permalink)
0

can I ban an IP that triggers a Dos sensor?

We have created dos sensors to protect against dos attacks but I see the same ip address will trip the threshold several times.

For example the icmp sweep sensor will block an ip but then I see the same ip sweeping again and again. it gets blocked but that does not keep it from happening again until it hits the threshold a 2nd time.

Is there anyway to ban an ip that sets off a dos sensor? Or at least temporarily ban it?
#1

5 Replies Related Threads

    ede_pfau
    Expert Member
    • Total Posts : 6050
    • Scores: 480
    • Reward points: 0
    • Joined: 2004/03/09 01:20:18
    • Location: Heidelberg, Germany
    • Status: offline
    RE: can I ban an IP that triggers a Dos sensor? 2013/04/10 23:45:57 (permalink)
    5 (1)
    DoS policy without ban or quarantine doesn' t make sense to me.
    The way a DoS sensor is configured doesn' t allow for this, sadly.

    One way to do it is to create a DoS policy (a.k.a. interface policy) which controls all of the traffic across one interface. Then, insert an IPS sensor with a custom signature, and action ' quarantine' . You can choose either an interval of several minutes or ' forever' . The sensor should trigger when a certain traffic pattern exceed a rate. From 4.3 on, there is a rate command for custom IPS signatures. You can find examples for this on the forums by searching for ' F-SBID' , the lead-in for custom IPS signatures.

    Sounds a bit involved but combines a catch-all DoS policy with the quarantine action.

    Ede

    " Kernel panic: Aiee, killing interrupt handler!"
    #2
    RH
    Silver Member
    • Total Posts : 101
    • Scores: 2
    • Reward points: 0
    • Joined: 2011/07/28 14:40:07
    • Location: Sacramento, CA
    • Status: offline
    RE: can I ban an IP that triggers a Dos sensor? 2013/04/11 08:29:10 (permalink)
    0
    Thanks. I' ll have to research the custom signature IPS.
    #3
    RH
    Silver Member
    • Total Posts : 101
    • Scores: 2
    • Reward points: 0
    • Joined: 2011/07/28 14:40:07
    • Location: Sacramento, CA
    • Status: offline
    RE: can I ban an IP that triggers a Dos sensor? 2013/09/20 12:51:42 (permalink)
    0
    Finally! Thanks for nothing fortinet.
    You can set block attacker in the command line. I don' t know if this was available prior to 5.0.4 or not, I don' t remember seeing anything in 4.x and I looked all over.

    Anyway, in 5.0.4 you can set quarantine like this:
    config firewall DoS_Policy
    edit (integer- number of policy)
    config anomaly
    edit icmp_flood (or whatever anomaly you want to set)
    set quarantine attacker (attacker, both, interface, or none)

    (once you set quarantine you can set quarantine-log enable so you can see banned users in the gui and you can set quarentine-expiry, default is 5 minutes)

    set quarantine-log enable
    set quarantine-expiry 60

    #4
    TopJimmy
    Gold Member
    • Total Posts : 446
    • Scores: 8
    • Reward points: 0
    • Joined: 2008/09/26 09:18:59
    • Status: offline
    RE: can I ban an IP that triggers a Dos sensor? 2013/10/02 12:47:43 (permalink)
    0



    set quarantine-log enable
    set quarantine-expiry 60





    These settings are available in my 620b running 4.3.15.

    -TJ

    #5
    Jose Bavaresco
    New Member
    • Total Posts : 3
    • Scores: 0
    • Reward points: 0
    • Joined: 2019/08/08 08:13:49
    • Status: offline
    Re: can I ban an IP that triggers a Dos sensor? 2019/08/16 05:14:41 (permalink)
    0
    Hello RH,
     
    In the DoS Policy section of the handbook is the explanation. page 513
    #config firewall {DoS-policy | DoS-policy6}
    #edit <policyid>
    #set quarantine {none | attacker}
    #set quarantine-exipiry {string}
    #set quarantine-log {enable | disable}
    #end
     
    Cheers
    #6
    Jump to:
    © 2019 APG vNext Commercial Version 5.5