EasyManua.ls Logo

HP ProCurve 6400cl Series - Filtering Options; General Operation of Connection-Rate Filtering

HP ProCurve 6400cl Series
404 pages
To Next Page IconTo Next Page
To Next Page IconTo Next Page
To Previous Page IconTo Previous Page
To Previous Page IconTo Previous Page
Loading...
Virus Throttling (5300xl Switches Only)
General Operation of Connection-Rate Filtering
General Operation of Connection-Rate
Filtering
Connection-Rate filtering enables notification of worm-like behavior detected
in inbound routed traffic and, depending on how you configure the feature,
also throttles or blocks such traffic. This feature also provides a method for
allowing legitimate, high connection-rate traffic from a given host while still
protecting your network from possibly malicious traffic from other hosts.
Filtering Options
In the default configuration, connection-rate filtering is disabled. When
enabled on a port, connection-rate filtering monitors inbound routed traffic
for a high rate of connection requests from any given host on the port. If a host
appears to exhibit the worm-like behavior of attempting to establish a large
number of outbound IP connections (destination addresses, or DAs) in a short
period of time, the switch responds in one of the following ways, depending
on how connection-rate filtering is configured:
Notify only of potential attack: While the apparent attack
continues, the switch generates an Event Log notice identifying the
offending host SA and (if a trap receiver is configured on the switch)
a similar SNMP trap notice).
Notify and reduce spreading: In this case, the switch temporarily
blocks inbound routed traffic from the offending host SA for a
“penalty” period and generates an Event Log notice of this action and
(if a trap receiver is configured on the switch) a similar SNMP trap
notice. When the “penalty” period expires the switch re-evaluates the
routed traffic from the host and continues to block this traffic if the
apparent attack continues. (During the re-evaluation period, routed
traffic from the host is allowed.)
Block spreading: This option blocks routing of the host’s traffic on
the switch. When a block occurs, the switch generates an Event Log
notice and (if a trap receiver is configured on the switch) a similar
SNMP trap notice. Note that system personnel must explicitly re-
enable a host that has been previously blocked.
3-5

Table of Contents

Other manuals for HP ProCurve 6400cl Series

Preview: Management Guide
Management Guide664 pages

Related product manuals