3-1
3
Virus Throttling (Connection-Rate Filtering)
Overview of Connection-Rate Filtering
The spread of malicious agents in the form of worms exhibiting worm 
behavior has severe implications for network performance. Damage can be as 
minimal as slowing down a network with excessive, unwanted traffic, or as 
serious as putting attacker-defined code on a system to cause any type of 
malicious damage that an authorized user could do. 
Current methods to stop the propagation of malicious agents rely on use of 
signature recognition to prevent hosts from being infected. However, the 
latency between the introduction of a new virus or worm into a network and 
the implementation and distribution of a signature-based patch can be 
significant. Within this period, a network can be crippled by the abnormally 
high rate of traffic generated by infected hosts.
Connection-rate filtering based on virus throttling technology is 
recommended for use on the edge of a network. It is primarily concerned with 
the class of worm-like malicious code that tries to replicate itself by using 
vulnerabilities on other hosts (that is, weaknesses in network applications 
behind unsecured ports). Agents of this variety operate by choosing a set of 
hosts to attack based on an address range (sequential or random) that is 
exhaustively searched, either by blindly attempting to make connections by 
rapidly sending datagrams to the address range, or by sending individual 
ICMP ping messages to the address range and listening for replies.
Connection-rate filtering exploits the network behavior of malicious code 
that tries to create a large number of outbound IP connections on an interface 
in a short time. When a host exhibits this behavior, warnings can be sent, and 
connection requests can be either throttled or dropped to minimize the 
barrage of subsequent traffic from the host. When enabled on the switch, 
Feature Default Page Ref
Global Configuration and Sensitivity Disabled 3-10
Per-Port Configuration None 3-11
Listing and Unblocking Blocked Hosts n/a 3-15
Viewing the Current Configuration n/a 3-14
Configuring Connection-Rate ACLs None 3-17