FortiOS Carrier and MMS duplicate messages and message floods

FortiOS Carrier and MMS duplicate messages and message floods

FortiOS Carrier detects duplicate messages and message floods for the MM1 and MM4 interfaces. How FortiOS Carrier detects and responds to duplicate messages and message floods is different from how FortiOS Carrier detects and responds to viruses and other MMS scanning protection measures.

For message floods and duplicate messages, the sender does not receive notifications about floods or duplicate messages, as if the sender is an attacker they can gain useful information about flood and duplicate thresholds. Plus, duplicate messages and message floods are usually a result of a large amount of messaging activity and filtering of these messages is designed to reduce the amount of unwanted messaging traffic. Adding to the traffic by sending notifications to senders and receivers could result in an increase in message traffic.

You can create up to three thresholds for detecting duplicate messages and message floods. For each threshold you can configure the FortiOS Carrier unit to respond by logging the activity, archiving or quarantining the messages, notifying administrators of the activity, and by blocking the messages. In many cases you may only want to configure blocking for higher activity thresholds, and to just monitor and send administrator notifications at lower activity thresholds.

When a block threshold is reached for MM1 messages, FortiOS Carrier sends m-send.conf or m-retrieve.conf messages to the originator of the activity. These messages are sent to end the MM1 sessions, otherwise the originator would continue to re-send the blocked message. When a block threshold is reached for MM4, FortiOS Carrier sends a MM4-forward.res message to close the MM4 session. An MM4 message is sent only if initiated by the originating MM4-forward.req message.

MM1 message flood and duplicate message blocking of sent messages
Sender FortiOS Carrier

MMSC
1. Open TCP session

2. Open TCP session
3. m-send.req

4. Flood or duplicate blocked
5. Reset TCP session

6. m-send.conf replacement message
7. Close TCP Session

8. Notification message to administrators (various protocols)

Sent once per notification period, regardless of how many messages are blocked

MM1 message flood and duplicate message blocking of received messages
MMSC

FortiOS Carrier

Receiver
1. GET request for message
2. GET request for message
3. m-retrieve.conf mesage

4. Flood or duplicate blocked

6. Notification message to administrators (various protocols)

Sent once per notification period, regardless of how many messages are blocked
5. m-retrieve.conf replacement message

MM4 message flood and duplicate message blocking

Forwarding Operator
MMSC

FortiOS Carrier

Receiving Operator
MMSC
1. Open TCP session
2. Open TCP session

3. Send full MM4-forward.req message
5. m-retrieve.conf mesage
4. Send full MM4-forward.req message

Without ‘.’ on single line

6. Flood or duplicate blocked

7. Reset TCP session
8. Send 250 response
9. Close TCP session
10. Open new TCP session
11. Send MM4-forward.res message 10, 11, 12 Only initiated if the
MM4-forward.req message
12. Close TCP session

requested a response
13. Notification message to administrators (various protocols)

Sent once per notification period, regardless of how many messages are blocked


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

This entry was posted in FortiOS 5.4 Handbook on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.