Specifications
43
Virus throttle works by intercepting IP-routed connection requests—connections crossing VLAN boundaries—in
which the source subnet and destination subnet are different. The virus throttle tracks the number of recently
made connections. If a new, intercepted request is to a destination to which a connection was recently made,
the request is processed as normal. If the request is to a destination that has not had a recent connection,
the request is processed only if the number of recent connections is below a pre-set threshold. The threshold
specifies how many connections are to be allowed over a set amount of time, thereby enforcing a connection-
rate limit. If the threshold is exceeded, because requests are coming in at an unusually high rate, it is taken
as evidence of a virus. This causes the throttle to stop processing requests and to instead notify the system
administrator.
This applies to most common Layer 4 through 7 session and application protocols, including TCP connections,
UDP packets, SMTP, IMAP, Web Proxy, HTTP, SSL, and DNS—virtually any protocol where the normal traffic
does not look like a virus spreading. For virus throttle to work, IP routing and multiple VLANs with member
ports must first be configured.
Note that some protocols, such as NetBIOS and WINS, and some applications such as network management
scanners, notification services, and P2P file sharing, are not appropriate for virus throttle. These protocols and
applications initiate a broad burst of network traffic that could be misinterpreted by the virus-throttle technology
as a threat.
Figure D-1: Virus Throttle example topology
On the ProCurve 6600 Switch Series virus throttle is implemented through connection-rate filtering. When
connection-rate filtering is enabled on a port, the inbound routed traffic is monitored for a high rate of
connection requests from any given host on the port. If a host appears to exhibit the worm-like behavior
of attempting to establish a large number of outbound IP connections in a short period of time, the switch
responds, depending on how connection-rate filtering is configured.
Response options
The response behavior of connection-rate filtering can be adjusted by using filtering options. When a worm-like
behavior is detected, the connection-rate filter can respond to the threats on the port in the following ways:
•Notify only of potential attack: While the apparent attack continues, the switch generates an Event Log notice
identifying the offending host source address (SA) and (if a trap receiver is configured on the switch) a similar
SNMP trap notice.
•Notify and reduce spreading: In this case, the switch temporarily blocks inbound routed traffic from the
offending host source address for a “penalty” period, and generates an Event Log notice of this action and
a similar SNMP trap notice if a trap receiver is configured on the switch. When the penalty period expires,
the switch reevaluates the routed traffic from the host and continues to block this traffic if the apparent attack
continues. During the reevaluation period, routed traffic from the host is allowed.
•Block spreading: This option blocks routing of the host’s traffic on the switch. When a block occurs, the switch
generates an Event Log notice and a similar SNMP trap notice if a trap receiver is configured on the switch.
Note that system personnel must explicitly re-enable a host that has been previously blocked.
Networked
servers
5400zl, 3500yl or 6200yl with
IP Routing configured
Intranet
VLAN 1
VLAN 2
VLAN 3
Devices on VLAN 3 infected with
worm-like malicious code