An administration wants to throttle the total volume of SMTP sessions to their email server. Which of the following DoS sensors can be used to achieve this?
Flooding If the number of sessions targeting a single destination in one second is over a threshold, the destination is experiencing flooding.
Scan If the number of sessions from a single source in one second is over a threshold, the source is scanning.
Source session limit If the number of concurrent sessions from a single source is over a threshold, the source session limit is reached.
Destination session limit If the number of concurrent sessions to a single destination is over a threshold, the destination session limit is reached.
I think D
https://kb.fortinet.com/kb/viewContent.do?externalId=FD35259
"If you want to protect your own servers from DoS attacks from the Internet:
- Be sure to configure only your own servers as destination of the traffic. You have to use 'Address' objects, not VIPs.
- Set the services you provide in your server. This is HTTP, HTTPS, SMTP, etc.
- Configure only the anomalies which will match the services of your server(s). For example, if your server provides SMTP access only, use the following anomalies:
+ tcp_syn_flood, or
+ tcp_src_session, or
+ ip_src_session"
Be careful. Continue reading your shared link
“If you use (in this case) tcp_dst_session or ip_dst_session, you would be limiting the number of concurrent sessions your server will handle (purpose of Denial of Service).“
If u use “ip_src_session” and let say set the threshold to 100. “Each source IP” will be allowed unless they pass 100
The question asks to protect the volume of traffic to the server. So if we use “ip_dst_session” and set it to 100, the total volume of traffic will be allowed unless it passes the 100 threshold.
Perspective!
The answer is B
The Correct answer 100% A If addmin want to all traffic reduce answer b or d. snmp packet l4 so tcp_port_scan is correct
check https://help.fortinet.com/fos50hlp/54/Content/FortiOS/fortigate-firewall-52/Firewall%20Policies/IPv4%20DoS%20Policy.htm
https://help.fortinet.com/fos50hlp/52data/Content/FortiOS/fortigate-firewall-52/Security%20Policies/DoS%20Protection.htm
So, based on the second link "DoS Protection", the answer "B ip_dst_session" is the correct !
it said :
ip_dst_session : If the number of concurrent IP connections to one destination IP address exceeds the configured threshold value, the action is executed
tcp_port_scan : If the SYN packet rate of new TCP connections, including retransmission, from one source IP address exceeds the configured threshold value, the action is executed.
for ip_dst_session : " ...connections to one destination IP..."
For tcp_port_scan : "... from one source IP address..."
So the ip_dst_session is more approriate in this case of "throttle the total volume of SMTP sessions to their email server" !!
A voting comment increases the vote count for the chosen answer by one.
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one.
So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
Samanosuke
Highly Voted 5Â years, 7Â months agoCyril_the_Squirl
Most Recent 4Â years agowassimtrabelsi
4Â years, 5Â months agoLevis
4Â years, 10Â months agoFr4nx
4Â years, 11Â months agorjalburq
5Â years, 1Â month agoAddictioneer
4Â years, 9Â months agomontonearm
5Â years, 1Â month ago[Removed]
5Â years, 5Â months agonaicoram
5Â years agoni
5Â years, 5Â months ago