Access Security Guide K/KA/KB.15.15
Connection-rate filtering
Features and benefits
Connection-rate filtering is a countermeasure tool you can use in your incident-management program
to help detect and manage worm-type IT security threats received in inbound IP traffic. Major
benefits of this tool include:
• Behavior-based operation that does not require identifying details unique to the code exhibiting
the worm-like operation.
• Handles unknown worms.
• Needs nosignature updates.
• Protects network infrastructure by slowing or stopping IP traffic from hosts exhibiting high
connection-rate behavior.
• Allows network and individual switches to continue to operate, even when under attack.
• Provides Event Log and SNMP trap warnings when worm-like behavior is detected
• Gives IT staff more time to react before the threat escalates to a crisis.
NOTE: When configured on a port, connection-rate filtering is triggered by IPv4 traffic received
inbound with a relatively high rate of IP connection attempts.
NOTE: As stated previously, connection-rate filtering is triggered by inbound IP traffic exhibiting
a relatively high-incidence of IP connection attempts from a single source.
Figure 36 Example of protecting a network from agents using a high IP connection rate to propagate
General operation
Connection-rate filtering enables notification of worm-like behavior detected in inbound IP traffic
and, depending on how you configure the feature, also throttles or blocks such traffic. This feature
also provides a method for allowing legitimate, high connection-rate traffic from a given host while
still protecting your network from possibly malicious traffic from other hosts.
Filtering options
In the default configuration, connection-rate filtering is disabled. When enabled on a port,
connection-rate filtering monitors inbound IP traffic for a high rate of connection requests from any
given host on the port. If a host appears to exhibit the worm-like behavior of attempting to establish
Connection-rate filtering 65