FortiCarrier Message Flood

Message Flood

The convenience offered by MM1 and MM4 messaging can be abused by users sending spam or attempting to overload the network with an excess of messages. MMS flood prevention can help prevent this type of abuse. A message flood occurs when a single subscriber sends a volume of messages that exceed the flood threshold that you set. The threshold defines the maximum number of messages allowed, the period during which the subscriber sent messages are considered, and the length of time the sender is restricted from sending messages after a flood is detected. For example, for the first threshold you may determine that any subscriber who sends more than 100 MM1 messages in an hour (60 minutes) will have all outgoing messages blocked for 30 minutes.

Action Description
Log Add a log entry indicating that a message flood has occurred. You must also enable logging by going to Security Profiles > MMS Profile, <applicable profile> > Logging > MMS Scanning > Bulk Messages, and toggling on the checkbox.
DLP Archive Save the first message to exceed the flood threshold, or all the messages that exceed the flood threshold, in the DLP archive. DLP archiving flood messages may not always produce useful results. Since different messages can be causing the flood, reviewing the archived messages may not be a good indication of what is causing the problem since the messages could be completely random.
All messages All the messages that exceed the flood threshold will be saved in the DLP archive.
First message only Save only the first message to exceed the flood threshold in the DLP archive. Other messages in the flood are not saved. For message floods this may not produce much useful information since a legitimate message could trigger the flood threshold.
Intercept Messages that exceed the flood threshold are passed to the recipients, but if quarantine is enabled for intercepted messages, a copy of each message will also quarantined for later examination. If the quarantine of intercepted messages is disabled, the Intercept action has no effect.
Block Messages that exceed the flood threshold are blocked and will not be delivered to the message recipients. If quarantine is enabled for blocked messages, a copy of each message will quarantined for later examination.
Alert Notification If the flood threshold is exceeded, the Carrier-enabled FortiGate unit will send an MMS flood notification message.

In the web-based manager when Alert Notification is selected it displays the fields to configure the notification.

Flood

Flood protection for MM1 messages prevents your subscribers from sending too many messages to your MMSC. Configuring flood protection for MM4 messages prevents another service provider from sending too many messages from the same subscriber to your MMSC.

Message flood configuration settings

The following are message flood configuration settings in Security Profiles > Message Flood.

Message Flood

Lists the large amount of messages that are being sent to you from outside sources.

Removes messages from the list.

To remove multiple messages from within the list, on the Message Flood page, in each row of the messages you want removed, select the check box

Delete and then select Delete.

To remove all messages from the list, on the Message Flood page, select the check box in the check box column and then select Delete.

Remove All Entries                 Removes all messages from the list.
Protocol                                 Sorts/filters by the protocol used.
MMS Profile                           Sorts/filters by the MMS profile that is used.
Sender                                   Sorts/filters by the sender’s email address.
Level                                     Sorts/filters by he level of severity of the message.
The count column can be up or down and these settings can be turned off

Count by selecting beside the column’s name.

Window Size (minutes)            The time in minutes.
The time in seconds and in minutes. The timer column can be up or down

Timer (minutes:seconds) and these settings turned off by selecting beside the column’s name.

Page Controls                        Use to navigate through the list.

Duplicate Message

Duplicate message protection for MM1 messages prevents multiple subscribers from sending duplicate messages to your MMSC. Duplicate message protection for MM4 messages prevents another service provider from sending duplicate messages from the same subscriber to your MMSC.

The unit keeps track of the sent messages. If the same message appears more often than the threshold value that you have configured, action is taken. Possible actions are logging the duplicate messages, blocking or intercepting them, archiving, and sending an alert to inform an administrator that duplicate messages are occurring.

Duplicate message configuration settings

View duplicate messages in Security Profiles > Duplicate Message.

Duplicate Message

Lists duplicates of messages that were sent to you.

Removes a message from the list.

To remove multiple duplicate messages from within the list, on the

Message Flood page, in each row of the messages you want removed,

Delete select the check box and then select Delete.

To remove all duplicate messages from the list, on the Message Flood page, select the check box in the check box column and then select Delete.

Page Controls                        Use to navigate through the list.
Remove All Entries                 Removes all duplicate messages from the list.
Protocol                                 Sorts/filters by the protocol used.
MMS Profile                            Sorts/filters by the MMS profile that logs the detection.
Checksum                              Sorts/filters by the checksum of the MMS message.
Level                                     Sorts/filters by he level of severity of the message.
Count                                    Displays the number of messages in the last window of time.
The period of time during which a message flood will be detected if the

Window Size (minutes)

Message Flood Limit is exceeded.

Timer (minutes:seconds)        Either the time left in the window if the message is unflagged, or the time until the message will be unflagged if it is already flagged.

Carrier Endpoint Filter Lists

A carrier endpoint filter list contains carrier endpoint patterns. A pattern can match one carrier endpoint or can use wildcards or regular expressions to match multiple carrier endpoints. For each pattern, you select the action that the unit takes on a message when the pattern matches a carrier endpoint in the message. Actions include blocking the message, exempting the message from MMS scanning, and exempting the message from all scanning. You can also configure the pattern to intercept the message and content archive the message to a FortiAnalyzer unit.

Flood

Carrier endpoint filter lists configuration settings

The following are Carrier endpoint filter list configuration settings in Security Profiles > Carrier Endpoint Filter Lists.

Carrier Endpoint Filter Lists

Lists all the endpoint filters that you created. On this page, you can edit, delete or create a new endpoint filter list.

Creates a new endpoint filter list. When you select Create New, you are

Create New                               automatically redirected to the New List page. You must enter a name to

go to the Carrier Endpoint Filter Lists Settings page.

Edit                                           Modifies settings within an endpoint filter list in the list.
Removes an endpoint filter in the list.

To remove multiple endpoint filter lists from within the list, on the Carrier

Endpoint Filter List page, in each of the rows of the endpoint filter lists

Delete                                       you want removed, select the check box and then select Delete.

To remove all endpoint filter lists from the list, on the Carrier Endpoint Filter List page, select the check box in the check box column and then select Delete.

Name                                         The name of the endpoint filter.
The number of carrier endpoint patterns in each carrier endpoint filter

# Entries

list.

MMS Profiles                             The MMS profile that the carrier endpoint filter list is added to.
Comments                                 A description about the endpoint filter.

 

Ref.                                           Displays the number of times the object is referenced to other objects.

For example, av_1 profile is applied to a security policy; on the Profile page (Security Profiles > Antivirus > Profiles), 1 appears in Ref. .

To view the location of the referenced object, select the number in Ref., and the Object Usage window appears displaying the various locations of the referenced object.

To view more information about how the object is being used, use one of the following icons that is available within the Object Usage window:

•             View the list page for these objects – automatically redirects you to the list page where the object is referenced at.

•             Edit this object – modifies settings within that particular setting that the object is referenced with. For example, av_1 profile is referenced with a security policy and so, when this icon is selected, the user is redirected to the Edit Policy page.

•             View the details for this object – table, similar to the log viewer table, contains information about what settings are configured within that particular setting that the object is referenced with. For example, av_1 profile is referenced with a security policy, and that security policy’s settings appear within the table.

Carrier Endpoint Filter Lists Settings

Provides settings for configuring an endpoint filter.

Name                                        The name you entered on the New List page, after selecting Create

New on the Carrier Endpoint Filter page.

A description about the endpoint filter. You can add one here if you did

Comments not enter one on the New List page.

Create New Creates a new endpoint filter list. When you select Create New, you are automatically redirected to the New Entry page.
Edit                                           Select to modify the settings of a pattern in the list.
Delete                                        Select to remove a pattern in the list.
Enable                                       Enables a disabled pattern in the list.
Disable                                      Disables a pattern in the list.
Removes all patterns in the list on the Carrier Endpoint Filter Lists

Remove All Entries

Settings page.

Enable                                      Indicates whether or not the pattern is enabled.

 

Pattern Enter or change the pattern that FortiOS Carrier uses to match with carrier endpoints. The pattern can be a single carrier endpoint or consist of wildcards or Perl regular expressions that will match more than one carrier endpoint. Set Pattern Type to correspond to the pattern that you want to use.
Action Select the action taken by FortiOS Carrier for messages from a carrier endpoint that matches the carrier endpoint pattern:
Pattern Type The type of pattern chosen.
New Entry page
Pattern Enter or change the pattern that FortiOS Carrier uses to match with carrier endpoints. The pattern can be a single carrier endpoint or consist of wildcards or Perl regular expressions that will match more than one carrier endpoint. Set Pattern Type to correspond to the pattern that you want to use.
Action(s) Select the action taken by FortiOS Carrier for messages from a carrier endpoint that matches the carrier endpoint pattern:

Action(s) can be:

l None l Block l Exempt from mass MMS l Exempt from all scanning

Content Archive MMS messages from the carrier endpoint are delivered, the message content is DLP archived according to MMS DLP archive settings.

Content archiving is also called DLP archiving.

Pattern Type Select a pattern type as one of Single Carrier Endpoint, Wildcard or Regular Expression.

Wildcard and Regular Expression will match multiple patterns where Single Carrier Endpoint matches only one.

Enable Select to enable this carrier endpoint filter pattern.
This entry was posted in FortiCarrier on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.