Fortinet FortiDDoS 3000F
A Different and Better Approach to DDoS Attack Mitigation
Click here to jump to more pricing!
Overview:
Distributed Denial of Service (DDoS) attacks remain a top threat to network security and have evolved in almost every way to do what they do best: shut down access to your vital online services.
Unlike intrusion and malware attacks, DDoS attackers have learned that they don’t need to attack only end-point servers to shut you down. They attack any IP address that routes to your network: unused IP addresses, ISP link subnets, or Firewall/Proxy/WiFi Gateway public IP addresses.
CDN and DNS-based cloud mitigation cannot protect you from these attacks. What is the impact to your business if your users cannot reach cloud services because your firewall is DDoSed?
Sophisticated multi-vector and multi-layer DDoS attacks use direct and reflected packets where the spoofed, randomized source IP addresses are impossible to ACL. These attacks are increasingly common as Mirai-style code has morphed into many variants and has been commercialized by providers of “stresser” sites. Anyone can create large, anonymous attacks for a few dollars.
DDoS is not an everyday occurrence for security teams and they cannot be expected to understand the thousands of attack variants that target your network.
To combat these attacks, you need a solution that dynamically and automatically protects a large attack surface.
A Different and Better Approach to DDoS Attack Mitigation
FortiDDoS massively parallel machine-learning architecture delivers the fastest and most accurate DDoS attack mitigation available.
In place of pre-defined or subscription-based signatures to identify some attack patterns, FortiDDoS uses autonomous machine learning to build an adaptive baseline of normal activity from hundreds-of-thousands of parameters and then monitors traffic patterns against those baselines. Should an attack begin, FortiDDoS sees the deviation and immediately takes action to mitigate it, often from the first packet.
FortiDDoS monitors, responds, and reports on the mitigations it has performed, not attacks where your team or the vendor ERT/NoC must intervene.
Highlights:
- 100% packet inspection for Layer 3, 4, and 7 DDoS attack identification and mitigation, simultaneously monitoring hundreds of thousands of parameters — a massivelyparallel computing architecture
- 100% Machine Learning DDoS detection
- Completely invisible to attackers with no IP and no MAC addresses in the data path. FortiDDoS is not a routing or terminating Layer 3 device.
- Continuous threat evaluation to minimize false positive detections
- Advanced DNS and NTP DDoS mitigation plus advanced DTLS and QUIC mitigation on F-Series
- Hybrid On-premise/Cloud mitigation available with Open Attack Signaling
Features:
| 100% Machine Learning Detection | FortiDDoS doesn’t rely on signature files that need to be updated with the latest threats so you’re protected from both known and unknown “zero-day” attacks. No “threat-protection” subscriptions required. Saves OPEX. |
| Massively Parallel Architecture | Parallel architecture provides 100% packet inspection with bidirectional detection and mitigation of Layer 3, 4, and 7 DDoS attacks even at the smallest packets sizes. Get the performance you pay for. |
| Continuous Attack Evaluation | Minimizes the risk of “false positive” detection by reevaluating the attack to ensure that “good” traffic isn’t disrupted. Less management time needed. |
| Advanced DNS Protection | FortiDDoS provides 100% inspection of all DNS Query and Response traffic up to 12 million QPS, for protection from a broad range of DNS-based volumetric, application and anomaly attacks. DNS Reflection floods are stopped from the FIRST packet. |
| Advanced NTP Protection | FortiDDoS provides 100% inspection of all NTP Query and Response traffic up to 6 million QPS. NTP Reflection floods are stopped from the FIRST packet. |
| Advanced DTLS, QUIC, and Zoom™ Protection | FortiDDoS inspects DTLS, QUIC, and Zoom™ for anomalies, reflections, and over-threshold data rates |
| Continuous Learning | With continuous background learning and minimal configuration, FortiDDoS will automatically build normal traffic and resources behavior profiles saving you time and IT management resources. |
| Autonomous Mitigation | No operator intervention required for any type or size of attack. |
| Hybrid On-premise/Cloud Support | Open, documented API allows integration with third-party cloud DDoS mitigation providers for flexible deployment options and protection from large-scale DDoS attacks. |
| RESTful API | FortiDDoS can be integrated into almost any environment through its RESTful API. |
Highlights:
Powerful Parallel Architecture = Flexible, Autonomous Defenses
FortiDDoS protects you from known and “zero-day” attacks without creating local or downloading subscription signatures for mitigation. Other vendors try to conserve CPU real-time by inspecting a relatively small number of parameters at a low sample rate, unless and until an explicit signature is created. FortiDDoS’ massively parallel architecture samples 100% of even the smallest packets, for over 230,000 parameters for each Protection Profile. This method allows FortiDDoS to operate completely autonomously, finding some attacks on the FIRST packet and all attacks within two seconds — broader and faster mitigation than any other vendor or method. There is no need to adjust settings, read pcaps, or add regex-style manual signatures or ACLs in the middle of attacks. While attacks are being mitigated, FortiDDoS continues to monitor all other parameters to instantly react to added or changed vectors.
The Resurgence of Botnets
Easily-compromised IoT devices have allowed Botnet attacks to rise again and massive IoT growth assures us they are here to stay. While individual devices have little power, large groups can generate record traffic. Attackers want to hide the real source IP addresses of botted devices so UDP, SYN, TCP Out-of-State (FIN/ACK/RST), DNS and Protocol direct and reflected floods using spoofed source IP addresses are back in vogue. Attackers can launch an unprecedented variety of simultaneous attack vectors. Small-packet floods stress routers, firewalls, and many DDoS appliances, preventing full inspection with unexpected results. FortiDDoS’ 100% inspected small-packet rate is class-leading.
DNS-Based Attacks
Botnet-driven DNS attacks are popular because they can target any type of infrastructure or they can co-opt your DNS servers to attack others with reflected DDoS attacks. FortiDDoS is the only DDoS mitigation platform that inspects 100% of all DNS traffic in both directions, to protect against all types of DDoS attacks directed at, or from DNS servers. It validates over 30 different parameters on every DNS packet at up to 12 M Queries/second. Its built-in cache can offload the local server during floods. FortiDDoS’s innovative DQRM feature stops inbound Reflected DNS attacks from the very first packet. FortiDDoS also supports FortiGuard’s Domain Reputation Service for ISPs to protect clients from known malicious domains.
Security Fabric
FortiDDoS complements Fortinet’s full suite of Security Fabric products, each of which uses purpose-built hardware with dedicated engineering and support resources to provide best-in-class focused protection. FortiDDoS B-/E- Series display system performance and mitigation activities in real-time on a FortiOS Security Fabric Dashboard, providing a single-pane-of-glass view of DDoS threats and mitigations along with other Security Fabric products and partners.
Hybrid On-premise/Cloud DDoS Mitigation
While FortiDDoS can mitigate any DDoS attack to the limit of the incoming bandwidth, large attacks can saturate incoming links, forcing ISP routers to drop good traffic. FortiDDoS’s open and documented Attack Signaling API allows our Security Fabric partners to provide you a choice of best-in-class hybrid CPE/cloud DDoS mitigation when attacks threaten to congest upstream resources. FortiDDoS inspects incoming GRE clean traffic from cloud DDoS providers to ensure continuity of logging and reporting, and complete threat mitigation. FortiDDoS on-premise appliances can also provide your ISP with Flowspec scripts to support diversion and multiparameter blocking of attack traffic.
Always-On Inline vs. Out-of-Path Mitigation
Many hosting providers, MSSPs and ISPs are moving away from out-of-path detection, diversion and scrubbing as too limited and too slow for important infrastructure. Netflow-based detection and mitigation monitor a limited number of parameters for a few different attack types. FortiDDoS mitigates more than 150 attack events, many with “depth” (all 65,000 TCP and UDP ports are monitored and mitigated, for example). 100% packet inspection and leading packet performance ensure mitigation from single-packet anomalies to link-filling small-packet, fragmented UDP floods.
Studies are showing that 75% of DDoS attacks last less than 15 minutes. Customers are also seeing multi-vector attacks, attacks that sequentially change vectors and pulsed attacks that start and stop frequently. FortiDDoS begins mitigating in less than 2 seconds and its massively-parallel detection and mitigation ensures multivector, sequential and pulsed attacks are seen and stopped. All FortiDDoS models offer High Availability and select models offer Optical Bypass (to 100GE) to ensure network continuity in the event of system failures. When attacks threaten link bandwidth, Flowspec scripts can be generated to configure upstream router ACLs.
FortiDDoS also offers a wide range of static and dynamic ACLs to offload other infrastructure. For example, FortiDDoS supports BCP- 38 (select models) and FortiGuard Domain Reputation blocks IoT and end-user communications to botnet controllers and malicious domains. FortiDDoS ACLs operate at line-rate with no impact on performance even with millions of blocklisted IP addresses.
Selected FortiDDoS models offer multi-tenant real-time graphing and attack reporting for resale to customers.
Specifications:
| FortiDDOS 200F | FortiDDOS 2000F | FortiDDOS 3000F | |
|---|---|---|---|
| Hardware Specifications | |||
| LAN Interfaces Copper GE with built-in bypass | 4 | - | - |
| WAN Interfaces Copper GE with built-in bypass | 4 | - | - |
| LAN Interfaces SFP GE | 2 | - | - |
| WAN interfaces SFP GE | 2 | - | - |
| LAN interfaces LC (850 nm, GE) with built-in bypass | 2 | - | - |
| WAN interfaces LC (850 nm, GE) with built-in bypass/strong> | 2 | - | - |
| LAN Interfaces SFP+ 10 GE / SFP GE | - | 2 (10GE ONLY) | 2 (10GE ONLY) |
| WAN Interfaces SFP+ 10 GE / SFP GE | - | 2 (10GE ONLY) | 2 (10GE ONLY) |
| LAN Interfaces LC (850 nm, 10 GE) with built-in bypass | - | - | - |
| WAN Interfaces LC (850 nm, 10 GE) with built-in bypass | - | - | - |
| LAN Interfaces QSFP+ 40 GE or QSFP28 100 GE | - | 2 | 2 |
| WAN Interfaces QSFP+ 40 GE or QSFP28 100 GE | - | 2 | 2 |
| Passive Optical Bypass | - | 8 Ports (2 links) 10/40 GE LR/ER/ZR | 8 Ports (2 links) 10/40/100 GE 1310nm / 1550nm |
| Storage | 1x 480 GB SSD | 1x 960 GB SSD | 1x 1.92 TB SSD |
| Form Factor | 1U Appliance | 2U Appliance | 2U Appliance |
| Power Supply | Dual AC Hot-Swappable | Dual AC Hot-Swappable | Dual AC Hot-Swappable |
| System Performance | |||
| Maximum Inspected Throughput (Gbps) | 8 | 76 | 65 |
| Inspected Packet Throughput (Mpps) | 8.8 | 60 | 80 |
| Maximum Mitigation (Gbps/Mpps) | 8 / 8.8 | 76 / 60 | 65 / 60 |
| SYN Flood Mitigation (SYN In + Cookie Out) Mpps | 5.7 | 21 | 55 |
| Simultaneous TCP Connections (M) | 4.2 | 33 | 64 |
| Simultaneous Sources (M) | 1 | 8 | 16 |
| Session Setup/Teardown (kcps) | 375 | 920 | 2280 |
| Latency (µs) Maximum/Typical | <50 | <50 | <70 |
| DDoS Attack Mitigation Response Time | 1st packet to <2 seconds | 1st packet to <2 seconds | - |
| Advanced DNS/NTP Mitigation | DNS/NTP | DNS/NTP | DNS/NTP/DTLS/QUIC |
| DNS/NTP Queries per second (M) | 2 / 1 | 8 / 4 | 16 / 8 |
| DNS/NTP Response Validation under Flood (M Responses/s) | 2 / 1 | 8 / 4 | 16 / 8 |
| Open Hybrid Cloud Mitigation Support | Yes | Yes | Yes |
| Central Manager | No | No | No |
| Environment | |||
| Input Voltage AC | 100–240V AC, 50–60 Hz | 100–240V AC, 50–60 Hz | 100–240V AC, 50–60 Hz |
| Power Consumption (Average W / Maximum W) | 117 / 152 | 333 / 433 | 400 / 1460 |
| Maximum Current AC | 100V/1.5A, 240V/0.7A | 100V/4.4A, 240V/1.9A | 127V/11A, 240V/6.1A |
| Heat Dissipation (BTU/hr) / (kjoules/hr) | 519 / 574 | 1477 / 1558 | 4965 / 5238 |
| Operating Temperature | 32–104°F (0–40°C) | 32–104°F (0–40°C) | 32–104°F (0–40°C) |
| Storage Temperature | -4–158°F (-20–70°C) | -4–158°F (-20–70°C) | -4–167°F (-20–75°C) |
| Humidity | 5–90% non-condensing | 5–90% non-condensing | 5–90% non-condensing |
| Compliance | |||
| Safety Certifications | FCC Class A Part 15, UL/CB/cUL, RCM, VCCI, CE | FCC Class A Part 15, UL/CB/cUL, RCM, VCCI, CE | FCC Class A Part 15, UL/CB/cUL, RCM, VCCI, CE |
| Dimensions | |||
| Height x Width x Length (inches) | 1.77 x 17 x 21.7 | 2U - 3.5 x 17.24 x 22.83 | 2RU - 3.5x 17.24 x 22.83 |
| Height x Width x Length (mm) | 44 x 438 x 550 | 88.2 x 438 x 580 | 88 x 438 x 580 |
| Weight lbs (kg) | 21.2 lbs (9.6 kg) | 19.8 lbs (9.0 kg) | 75 lbs (34 kg) |
Documentation:
Download the FortiDDOS Series Datasheet (.PDF)
Pricing Notes:
- All prices displayed are Ex-VAT. 20% VAT is added during the checkout process.
- 24x7 FortiCare Contract
24x7 Support, Advanced Hardware Replacement (NBD), Firmware and General Upgrades - 24x7 FortiCare plus FortiGuard Bundle Contract
Advanced Hardware Replacement (NBD), Firmware and General Upgrades, 24X7 Support, FortiDB Security Service (DBS) - Prices are for one year of Premium RMA support. Usual discounts can be applied.
- Annual contracts only. No multi-year SKUs are available for these services.
- Contact Fortinet Renewals team for upgrade quotations for existing FortiCare contracts.
- Pricing and product availability subject to change without notice.