FortiDDOS Overview

DDOS Attack Overview

Distributed Denial of Service (DDoS) attacks remain a top threat to IT security and have evolved in almost every way to do what they do best: shut down access to your vital online services. Unlike intrusion and malware attacks, DDoS attackers have learned that they don’t need to attack only end-point servers to shut you down. They attack any IP address that routes to your network: unused IP addresses, Inter-router-link public IP addresses, or Firewall/Proxy/WiFi Gateway public IP addresses. Cloud-based CDN and DNS-based cloud mitigation cannot protect you from these attacks. What is the impact to your business if your users cannot reach cloud services because your firewall or demarc router public IP is being DDoSed? Your CDN-based web servers may be up but your business is down! Sophisticated multi-vector and multi-layer DDoS attacks use direct and reflected packets where the spoofed, randomized source IP addresses are impossible to ACL. These attacks are increasingly common as Mirai-style code has morphed into many variants and has been commercialized by providers of “stresser” sites. Anyone can call down large attacks for a few dollars. To combat these attacks, you need a solution that dynamically protects a large attack surface.

Different and Better Approach to DDoS Attack Mitigation

FortiDDoS massively parallel machine-learning architecture delivers the most advanced and lowest-latency DDoS attack mitigation on the market today, without the performance compromises normally associated with CPU-based systems. FortiDDoS inspects 100% of both inbound and outbound Layer 3, 4, and 7 packets, to the smallest packet sizes, resulting in the fastest and most accurate detection and mitigation in the industry. In place of pre-defined or subscription-based signatures to identify attack patterns, FortiDDoS uses autonomous machine learning to build an adaptive baseline of normal activity from hundreds-of-thousands of parameters and then monitors traffic patterns against those baselines. Should an attack begin, FortiDDoS sees the deviation and immediately takes action to mitigate it, often from the first packet.

DataSheet

 FortiDDOS 200FFortiDDOS 1500FFortiDDOS 1500E/1500E-DCFortiDDOS 2000E/2000E-DC
Hardware Specifications
LAN Interfaces Copper GE with built-in bypass4
WAN Interfaces Copper GE with built-in bypass4
LAN Interfaces SFP GE2
WAN interfaces SFP GE2
LAN Interfaces SFP+ 10 GE / SFP GE288
WAN Interfaces SFP+ 10 GE / SFP GE288
LAN Interfaces LC (850 nm, 10 GE) with built-in bypass22
WAN Interfaces LC (850 nm, 10 GE) with built-in bypass22
LAN Interfaces QSFP 40 GE or QSFP28 100 GE22
WAN Interfaces QSFP 40 GE or QSFP28 100 GE22
Passive Optical Bypass 8 Ports (2 links) 1/10/40/100 GE 1310nm8 Ports (2 links) 1/10/40/100 GE 1310nm
Storage1x480SDD1x480SDD1x960SDD1x960SDD
Form Factor1U Appliance2U Appliance1U Appliance2U Appliance
Power SupplyDual AC Hot -SwappableDual AC Hot -SwappableDual AC Hot -SwappableDual AC Hot -Swappable
System Performance
Maximum Inspected Throughput (Gbps)8304590
Inspected Throughput (Enterprise Mix — Gbps)8303570
Inspected Packet Throughput (Mpps)8.8283877
Maximum Mitigation (Gbps/Mpps)8/8.830/28280/420280/420
SYN Flood Mitigation (SYN In Cookie Out) Mpps5.7162755
Simultaneous TCP Connections (M)4.216.71225
Simultaneous Sources (M)141225
Session Setup/Teardown (kcps)375700>1500>3000
Latency (µs) Maximum/Typical<50<50<50/<10<50/<10
DDoS Attack Mitigation Response Time1st packet to <2 seconds1st packet to <2 seconds1st packet to <2 seconds1st packet to <2 seconds
Advanced DNS/NTP MitigationDNS/ NTPDNS/ NTPDNS/ NTPDNS/ NTP
DNS/NTP Queries per second (M)2/18/46/312/6
DNS/NTP Response Validation under Flood (M Responses/s)2/18/46/312/6
Open Hybrid Cloud Mitigation SupportYesYesYesYes
Central ManagerNoNoYesYes
FortiOS Security Fabric Dashboard IntegrationNoNoYesYes

Leave a comment

Hey, so you decided to leave a comment! That's great. Just fill in the required fields and hit submit. Note that your comment will need to be reviewed before its published.