3-4
Virus Throttling (Connection-Rate Filtering)
Overview of Connection-Rate Filtering
■
Notify only
(of potential attack):
While the apparent attack
continues, the switch generates an Event Log notice identifying the
offending host’s source IP address and (if a trap receiver is configured
on the switch) a similar SNMP trap notice).
■
Throttle
: In this case, the switch temporarily blocks inbound IP
traffic from the offending host source IP address for a “penalty”
period and generates an Event Log notice of this action and (if a trap
receiver is configured on the switch) a similar SNMP trap notice.
When the “penalty” period expires the switch re-evaluates the traffic
from the host and continues to block this traffic if the apparent attack
continues. (During the re-evaluation period, IP traffic from the host
is allowed.)
■
Block
: This option blocks all IP traffic from the host. When a block
occurs, the switch generates an Event Log notice and (if a trap
receiver is configured on the switch) a similar SNMP trap notice. Note
that a network administrator must explicitly re-enable a host that has
been previously blocked.
Sensitivity to Connection Rate Detection
The switch includes a global sensitivity setting that enables adjusting the
ability of connection-rate filtering to detect relatively high instances of con-
nection-rate attempts from a given source.
Application Options
For the most part, normal network traffic is distinct from the traffic exhibited
by malicious agents. However, when a legitimate network host generates
multiple connections in a short period of time, connection-rate filtering may
generate a “false positive” and treat the host as an infected client. Lowering
the sensitivity or changing the filter mode may reduce the number of false
positives. Conversely, relaxing filtering and sensitivity provisions lowers the
switch’s ability to detect worm-generated traffic in the early stages of an
attack, and should be carefully investigated and planned to ensure that a risky
vulnerability is not created. As an alternative, you can use connection-rate
ACLs (
access control lists
) or selective enabling to allow legitimate traffic.
Selective Enable.
This option involves applying connection-rate filtering
only to ports posing a significant risk of attack. For ports that are reasonably
secure from attack, then there may be little benefit in configuring them with
connection-rate filtering.
Summary of Contents for E3800 Series
Page 2: ......
Page 3: ...HP Networking E3800 Switches Access Security Guide September 2011 KA 15 03 ...
Page 30: ...xxviii ...
Page 86: ...2 36 Configuring Username and Password Security Password Recovery ...
Page 186: ...4 72 Web and MAC Authentication Client Status ...
Page 364: ...8 32 Configuring Secure Shell SSH Messages Related to SSH Operation ...
Page 510: ...10 130 IPv4 Access Control Lists ACLs General ACL Operating Notes ...
Page 548: ...11 38 Configuring Advanced Threat Protection Using the Instrumentation Monitor ...
Page 572: ...12 24 Traffic Security Filters and Monitors Configuring Traffic Security Filters ...
Page 730: ...20 Index ...
Page 731: ......