Virus Throttling
Introduction
Introduction
Feature Default Menu CLI Web
Global Configuration and Sensitivity Disabled — 3-12 —
Per-Port Configuration None — 3-13 —
Listing and Unblocking Blocked Hosts n/a — 3-18 —
Viewing the Current Configuration n/a — 3-16 —
Configuring Connection-Rate ACLs None — 3-20 —
The spread of malicious agents in the form of worms exhibiting worm
behavior has severe implications for network performance. Damage can be as
minimal as slowing down a network with excessive, unwanted traffic, or as
serious as putting attacker-defined code on a system to cause any type of
malicious damage that an authorized user could do.
Current methods to stop the propagation of malicious agents rely on use of
signature recognition to prevent hosts from being infected. However, the
latency between the introduction of a new virus or worm into a network and
the implementation and distribution of a signature-based patch can be
significant. Within this period, a network can be crippled by the abnormally
high rate of traffic generated by infected hosts.
Connection-Rate filtering based on virus throttling technology is
recommended for use on the edge of a network. It is primarily concerned with
the class of worm-like malicious code that tries to replicate itself by using
vulnerabilities on other hosts (that is, weaknesses in network applications
behind unsecured ports). Agents of this variety operate by choosing a set of
hosts to attack based on an address range (sequential or random) that is
exhaustively searched, either by blindly attempting to make connections by
rapidly sending datagrams to the address range, or by sending ICMP ping
messages to the address range and listening for replies.
Connection-Rate filtering exploits the network behavior of malicious code
that tries to create a large number of outbound IP connections on a routed
interface in a in a short time. When a host exhibits this behavior, warnings can
be sent, and connection requests can be either throttled or dropped to
minimize the barrage of subsequent traffic from the host. When enabled on a
switch covered in this guide, connection-rate filtering based on virus-
throttling technology can help reduce the impact of worm-like malicious code
and give system administrators more time to isolate and eradicate the threat.
Thus, while traditional worm- and virus-signature updates will still need to be
3-3
To Next Page
Loading...
Need help?
General
