Configuring connection-rate filtering for low risk networks
As stated earlier, connection-rate filtering is triggered only by inbound IP traffic generating a relatively high number of new IP connection requests from the same host.
Procedure
-
Enable
notify-only
mode on the ports you want to monitor. -
Set global sensitivity to
low
. -
If SNMP trap receivers are available in your network, use the
snmp-server
command to configure the switch to send SNMP traps. - Monitor the Event Log or (if configured) the available SNMP trap receivers to identify hosts exhibiting high connection rates.
- Check any hosts that exhibit relatively high connection rate behavior to determine whether malicious code or legitimate use is the cause of the behavior.
-
Hosts demonstrating high, but legitimate connection rates, such as heavily used servers, can trigger a connection-rate filter. Configure connection rate ACLs to create policy exceptions for trusted hosts. (Exceptions can be configured for these criteria:
-
A single source host or group of source hosts
-
A source subnet
-
Either of the above with TCP or UDP criteria
For more on connection rate ACLs, see Application options.
-
A single source host or group of source hosts
-
Increase the sensitivity to
Medium
and repeat steps 5 and 6.NOTE:On networks that are relatively infection-free, sensitivity
levels above
Medium
are not recommended.
-
(Optional.) Enable
throttle
orblock
mode on the monitored ports.NOTE:On a given VLAN, to unblock the hosts that have been blocked by the connection-rate feature, use the
vlan <vid> connection-rate filter unblock
command.
- Maintain a practice of carefully monitoring the Event Log or configured trap receivers for any sign of high connectivity-rate activity that could indicate an attack by malicious code.