3-4
Virus Throttling (Connection-Rate Filtering)
Overview of Connection-Rate Filtering
■ Notify only (of potential attack): While the apparent attack 
continues, the switch generates an Event Log notice identifying the 
offending host’s source IP address and (if a trap receiver is configured 
on the switch) a similar SNMP trap notice).
■ Throttle: In this case, the switch temporarily blocks inbound IP 
traffic from the offending host source IP address for a “penalty” 
period and generates an Event Log notice of this action and (if a trap 
receiver is configured on the switch) a similar SNMP trap notice. 
When the “penalty” period expires the switch re-evaluates the traffic 
from the host and continues to block this traffic if the apparent attack 
continues. (During the re-evaluation period, IP traffic from the host 
is allowed.)
■ Block: This option blocks all IP traffic from the host. When a block 
occurs, the switch generates an Event Log notice and (if a trap 
receiver is configured on the switch) a similar SNMP trap notice. Note 
that a network administrator must explicitly re-enable a host that has 
been previously blocked.
Sensitivity to Connection Rate Detection
The switch includes a global sensitivity setting that enables adjusting the 
ability of connection-rate filtering to detect relatively high instances of con-
nection-rate attempts from a given source. 
Application Options
For the most part, normal network traffic is distinct from the traffic exhibited 
by malicious agents. However, when a legitimate network host generates 
multiple connections in a short period of time, connection-rate filtering may 
generate a “false positive” and treat the host as an infected client. Lowering 
the sensitivity or changing the filter mode may reduce the number of false 
positives. Conversely, relaxing filtering and sensitivity provisions lowers the 
switch’s ability to detect worm-generated traffic in the early stages of an 
attack, and should be carefully investigated and planned to ensure that a risky 
vulnerability is not created. As an alternative, you can use connection-rate 
ACLs (access control lists) or selective enabling to allow legitimate traffic.
Selective Enable.  This option involves applying connection-rate filtering 
only to ports posing a significant risk of attack. For ports that are reasonably 
secure from attack, then there may be little benefit in configuring them with 
connection-rate filtering.