On the HP ProCurve Switch 8200zl, 5400zl, 3500, and 6200yl series, Virus Throttle is implemented through
connection-rate filtering. When connection-rate filtering is enabled on a port, the inbound routed traffic is
monitored for a high rate of connection requests from any given host on the port. If a host appears to exhibit
the worm-like behavior of attempting to establish a large number of outbound IP connections in a short period
of time, the switch responds on the basis of how connection-rate filtering is configured.
Response options
The response behavior of connection-rate filtering can be adjusted by using filtering options. When a worm-like
behavior is detected, the connection-rate filter can respond to the threats on the port in the following ways:
•Notify only of potential attack: While the apparent attack continues, the switch generates an Event Log notice
identifying the offending host source address (SA) and (if a trap receiver is configured on the switch) a similar
SNMP trap notice.
•Notify and reduce spreading: In this case, the switch temporarily blocks inbound routed traffic from the
offending host source address for a “penalty” period and generates an Event Log notice of this action and
a similar SNMP trap notice if a trap receiver is configured on the switch. When the penalty period expires,
the switch re-evaluates the routed traffic from the host and continues to block this traffic if the apparent attack
continues. During the re-evaluation period, routed traffic from the host is allowed.
•Block spreading: This option blocks routing of the host’s traffic on the switch. When a block occurs, the switch
generates an Event Log notice and a similar SNMP trap notice if a trap receiver is configured on the switch.
Note that system personnel must explicitly re-enable a host that has been previously blocked.
Sensitivity
The ability of connection-rate filtering to detect relatively high instances of connection-rate attempts from a given
source can be adjusted by changing the global sensitivity settings. The sensitivity can be set to low, medium,
high, or aggressive as described here:
•Low: sets the connection-rate sensitivity to the lowest possible sensitivity, which allows a mean of 54 routed
destinations in less than 0.1 seconds, and a corresponding penalty time for Throttle mode (if configured) of
less than 30 seconds
•Medium: sets the connection-rate sensitivity to allow a mean of 37 routed destinations in less than 1 second,
and a corresponding penalty time for Throttle mode (if configured) between 30 and 60 seconds
• Hi gh: sets the connection-rate sensitivity to allow a mean of 22 routed destinations in less than 1 second, and
a corresponding penalty time for Throttle mode (if configured) between 60 and 90 seconds
•Aggressive: sets the connection-rate sensitivity to the highest possible level, which allows a mean of 15
routed destinations in less than 1 second, and a corresponding penalty time for Throttle mode (if configured)
between 90 and 120 seconds
Connection-rate ACL
Connection-rate ACLs are used to exclude legitimate high-rate inbound traffic from the connection-rate filtering
policy. A connection-rate ACL, consisting of a series of access control entries, creates exceptions to these per-
port policies by creating special rules for individual hosts, groups of hosts, or entire subnets. Thus, the system
administrator can adjust a connection-rate filtering policy to create and apply an exception to configured filters
on the ports in a VLAN.
66
To Next Page
Loading...
