KB.15.15

a large number of outbound IP connections in a short period of time, the switch responds in one

of the following ways, depending on how connection-rate filtering is configured:

• Notify only (of potential attack): While the apparent attack continues, the switch generates

an Event Log notice identifying the offending host's source IP address and (if a trap receiver

is configured on the switch) a similar SNMP trap notice).

• Throttle: In this case, the switch temporarily blocks inbound IP traffic from the offending host

source IP address for a "penalty" period and generates an Event Log notice of this action and

(if a trap receiver is configured on the switch) a similar SNMP trap notice. When the "penalty"

period expires the switch re-evaluates the traffic from the host and continues to block this traffic

if the apparent attack continues. (During the re-evaluation period, IP traffic from the host is

allowed.)

• Block: This option blocks all IP traffic from the host. When a block occurs, the switch generates

an Event Log notice and (if a trap receiver is configured on the switch) a similar SNMP trap

notice. Note that a network administrator must explicitly re-enable a host that has been

previously blocked.

Sensitivity to connection rate detection

The switch includes a global sensitivity setting that enables adjusting the ability of connection-rate

filtering to detect relatively high instances of connection-rate attempts from a given source.

Application options

For the most part, normal network traffic is distinct from the traffic exhibited by malicious agents.

However, when a legitimate network host generates multiple connections in a short period of time,

connection-rate filtering can generate a "false positive" and treat the host as an infected client.

Lowering the sensitivity or changing the filter mode can reduce the number of false positives.

Conversely, relaxing filtering and sensitivity provisions lowers the switch ability to detect

worm-generated traffic in the early stages of an attack, and should be carefully investigated and

planned to ensure that a risky vulnerability is not created. As an alternative, you can use

connection-rate ACLs (access control lists) or selective enabling to allow legitimate traffic.

Selective enable

This option involves applying connection-rate filtering only to ports posing a significant risk of

attack. For ports that are reasonably secure from attack, then there can be little benefit in configuring

them with connection-rate filtering.

Connection-rate Access Control Lists (ACLs)

The basic connection-rate filtering policy is configured per-port as notify-only, throttle,

and block. A connection-rate ACL creates exceptions to these per-port policies by creating special

rules for individual hosts, groups of hosts, or entire subnets. Thus, you can adjust a connection-rate

filtering policy to create and apply an exception to configured filters on the ports in a VLAN. Note

that connection-rate ACLs are useful only if you need to exclude inbound traffic from your

connection-rate filtering policy. For example, a server responding to network demand can send a

relatively high number of legitimate connection requests. This can generate a false positive by

exhibiting the same elevated connection-rate behavior as a worm. Using a connection-rate ACL to

apply an exception for this server allows you to exclude the trusted server from connection-rate

filtering and thereby keep the server running without interruption.

NOTE: Use connection-rate ACLs only when you need to exclude an IP traffic source (including

traffic with specific UDP or TCP criteria) from a connection-rate filtering policy. Otherwise, the ACL

is not necessary.

66 Virus throttling (connection-rate filtering)