Virus Throttling (5300xl Switches Only)
General Configuration Guidelines
Note On a given VLAN, to unblock the hosts that have been blocked by the
connection-rate feature, use the vlan < vid > connection-rate filter unblock
command.
10. Maintain a practice of carefully monitoring the Event Log or configured
trap receivers for any sign of high connectivity-rate activity that could
indicate an attack by malicious code. (Refer to
“Connection-Rate Log and
Trap Messages” on page 3-31.)
For a network that appears to be under significant
attack:
The steps are similar to the general steps for a network that is relatively attack
free. The major difference is in policies suggested for managing hosts exhib
-
iting high connection rates. This allows better network performance for
unaffected hosts and helps to identify hosts that may require updates or
patches to eliminate malicious code.
1. Configure connection-rate filtering to throttle on all ports.
2. Set global sensitivity to medium.
3. Use clear arp to clear the arp cache.
4. If SNMP trap receivers are available in your network, use the snmp-server
command to configure the switch to send SNMP traps.
5. Monitor the Event Log or the available SNMP trap receivers (if configured
on the switch) to identify hosts exhibiting high connection rates.
6. Check any hosts that exhibit relatively high connection rate behavior to
determine whether malicious code or legitimate use is the cause of the
behavior.
7. On hosts you identify as needing attention to remove malicious behavior:
• To immediately halt an attack from a specific host, group of hosts, or
a subnet, use the per-port block mode on the appropriate port(s).
• After gaining control of the situation, you can use connection-rate
ACLs to more selectively manage traffic to allow receipt of normal
routed traffic from reliable hosts.
3-10
To Next Page
Loading...
