KB.15.15

Connection-rate log and trap messages

See the Event Log Message Reference Guide for information about Event Log messages.

Overview

The spread of malicious agents in the form of worms has severe implications for network

performance. Damage can be as minimal as slowing down a network with excessive, unwanted

traffic, or as serious as putting attacker-defined code on a system to cause any type of malicious

damage.

Current methods to stop the propagation of malicious agents rely on signature recognition to

prevent hosts from being infected. However, the latency between the introduction of a new virus

or worm into a network, and the implementation and distribution of a signature-based patch can

be significant. Within this period, a network can be crippled by the abnormally high rate of traffic

generated by infected hosts.

Connection-rate filtering based on virus throttling technology is recommended for use on the edge

of a network. It is primarily concerned with the class of worm-like malicious code that tries to

replicate itself by using vulnerabilities on other hosts (weaknesses in network applications behind

unsecured ports). Agents of this variety operate by choosing a set of hosts to attack based on an

address range (sequential or random) that is exhaustively searched, either by blindly attempting

to make connections by rapidly sending datagrams to the address range, or by sending individual

ICMP ping messages to the address range and listening for replies.

Connection-rate filtering detects the network behavior of malicious code that tries to create a large

number of outbound IP connections on an interface in a short time. When a host exhibits this

behavior, warnings can be sent, and connection requests can be either throttled or dropped to

minimize the barrage of subsequent traffic from the host. When enabled on the switch,

connection-rate filtering can help reduce the impact of worm-like malicious code and give system

administrators more time to isolate and eradicate the threat. Thus, while traditional worm and

virus-signature updates will still need to be deployed to hosts, the network remains functional and

the overall distribution of the malicious code is limited.

Configuring connection-rate filtering for low risk networks (Overview)

As stated earlier, connection-rate filtering is triggered only by inbound IP traffic generating a

relatively high number of new IP connection requests from the same host.

1. Enable notify-only mode on the ports you want to monitor.

2. Set global sensitivity to low.

3. If SNMP trap receivers are available in your network, use the snmp-server command to

configure the switch to send SNMP traps.

4. Monitor the Event Log or (if configured) the available SNMP trap receivers to identify hosts

exhibiting high connection rates.

70 Virus throttling (connection-rate filtering)