Thursday, August 13, 2009

Got DoS? ERP and Fortinet Anti-Virus Scanning Problems

I ran into a situation where a customer utilized an embedded Telnet/Web application to their ERP vendor. Using Cacti to monitor bandwidth, we noticed their connection was completely saturated. Everything pointed to INBOUND traffic. First impression was that we are getting hit by a Denial of Service attack. This went on for a couple of days. After working with Fortinet’s support, we determined the issue was our “Oversized File/Email Threshold (1 - 139 MB)” setting specifically in one of our Protection Profiles. It was set to 5MB; however, the default is 10MB. Apparently, the application during the 5MB scanning phase was not receiving a TCP ACK within an adequate amount of time, therefore, would resend the data, hence DoS. We lowered the “Oversized File/Email Threshold (1 - 139 MB)” to 2MB with immediate resolution. Although not malicious, this was a true DoS experience and seems to be more common than not especially with streaming services.

(Article by Joseph Finley)

1 comment:

Anonymous said...

You have the same behaviour with Adobe Downloader, we encountered this case many many times. Adobe downloader try to update adobe reader, file is scanned to slowly then adobe downloader restart a new download and so on. After a few minutes, bandwidth is completely saturated until you decrease oversize threshold.