Virus Throttling
General Operation of Connection-Rate Filtering
General Operation of Connection-Rate
Filtering
Connection-Rate filtering enables notification of worm-like behavior detected
in inbound routed traffic and, depending on how you configure the feature,
also throttles or blocks such traffic. This feature also provides a method for
allowing legitimate, high connection-rate traffic from a given host while still
protecting your network from possibly malicious traffic from other hosts.
Filtering Options
In the default configuration, connection-rate filtering is disabled. When
enabled on a port, connection-rate filtering monitors inbound routed traffic
for a high rate of connection requests from any given host on the port. If a host
appears to exhibit the worm-like behavior of attempting to establish a large
number of outbound IP connections (destination addresses, or DAs) in a short
period of time, the switch responds in one of the following ways, depending
on how connection-rate filtering is configured:
■ Notify only of potential attack: While the apparent attack
continues, the switch generates an Event Log notice identifying the
offending host SA and (if a trap receiver is configured on the switch)
a similar SNMP trap notice).
■ Notify and reduce spreading: In this case, the switch temporarily
blocks inbound routed traffic from the offending host SA for a
“penalty” period and generates an Event Log notice of this action and
(if a trap receiver is configured on the switch) a similar SNMP trap
notice. When the “penalty” period expires the switch re-evaluates the
routed traffic from the host and continues to block this traffic if the
apparent attack continues. (During the re-evaluation period, routed
traffic from the host is allowed.)
■ Block spreading: This option blocks routing of the host’s traffic on
the switch. When a block occurs, the switch generates an Event Log
notice and (if a trap receiver is configured on the switch) a similar
SNMP trap notice. Note that system personnel must explicitly re-
enable a host that has been previously blocked.
3-5
To Next Page
Loading...
Need help?
General
