next

Virus throttling (connection-rate filtering)

Configuring connection-rate filtering

Viewing the connection-rate configuration

Use the following command to view the basic connection-rate configuration. To view connection-rate ACLs and/or any other switch configuration details, use show config or show running. See Displaying the connection-rate status, sensitivity, and per-port configuration.

Syntax

show connection-rate-filter

Displays the current global connection-rate status (enabled/disabled) and sensitivity setting, and the current per-port configuration. This command does not display the current (optional) connection-rate ACL configuration.

Displaying the connection-rate status, sensitivity, and per-port configuration

Displaying the connection-rate status, sensitivity, and per-port configuration

To view the complete connection-rate configuration, including any ACLs, use show config (for the startup-config file) or show running (for the running-config file). See Applying connection-rate ACLs.

Connection-rate filtering configuration in the startup-config file

Connection-rate filtering configuration in the startup-config file

Enabling global connection-rate filtering and sensitivity

Use the commands in this section to enable connection-rate filtering on the switch and to apply the filtering on a per-port basis.

Syntax

connection-rate-filter sensitivity < low | medium | high | aggressive >
[no] connection-rate-filter

This command:

  • Enables connection-rate filtering.

  • Sets the global sensitivity level at which the switch interprets a given host attempt to connect to a series of different devices as a possible attack by a malicious agent residing in the host.

Options for configuring sensitivity include:

low

Sets the connection-rate sensitivity to the lowest possible sensitivity, which allows a mean of 54 destinations in less than 0.1 seconds, and a corresponding penalty time for Throttle mode (if configured) of less than 30 seconds.

medium

Sets the connection-rate sensitivity to allow a mean of 37 destinations in less than 1 second, and a corresponding penalty time for Throttle mode (if configured) between 30 and 60 seconds.

high

Sets the connection-rate sensitivity to allow a mean of 22 destinations in less than 1 second, and a corresponding penalty time for Throttle mode (if configured) between 60 and 90 seconds.

aggressive

Sets the connection-rate sensitivity to the highest possible level, which allows a mean of 15 destinations in less than 1 second, and a corresponding penalty time for Throttle mode (if configured) between 90 and 120 seconds.

[no] connection-rate-filter

This command disables connection-rate filtering on the switch.

[NOTE: ]

NOTE: The sensitivity settings configured on the switch determine the Throttle mode penalty periods as shown in Throttle mode penalty periods.

Configuring per-port filtering

Syntax

filter connection-rate < port-list > < notify-only | throttle | block >
no filter connection-rate < port-list >

Configures the per-port policy for responding to detection of a relatively high number of inbound IP connection attempts from a given source. The level at which the switch detects such traffic depends on the sensitivity setting configured by the connection-rate-filter sensitivity command. See Enabling global connection-rate filtering and sensitivity.

[NOTE: ]

NOTE: You can use connection-rate ACLs to create exceptions to the configured filtering policy. See Applying connection-rate ACLs.

The no form of the command disables connection-rate filtering on the ports in # <port-list>.

The notify-onlyoption can be used if the switch detects a relatively high number of IP connection attempts from a specific host, notify-only generates an Event Log message and sends a similar message to any SNMP trap receivers configured on the switch.

The trottle command can be used if the switch detects a relatively high number of IP connection attempts from a specific host, this option generates the notify-only messaging and blocks all inbound traffic from the offending host for a penalty period. After the penalty period, the switch allows traffic from the offending host to resume, and re-examines the traffic. If the suspect behavior continues, the switch again blocks the traffic from the offending host and repeats the cycle. For the penalty periods, see Throttle mode penalty periods.

The block command can be used if the switch detects a relatively high number of IP connection attempts from a specific host, this option generates the notify-only messaging and also blocks all inbound traffic from the offending host.

Throttle mode penalty periods

Throttle mode (sensitivity) Frequency of IP connection requests from the same source Mean number of new destination hosts in the frequency period Penalty period
Low <0.1 second 54 <30 seconds
Medium <1.0 second 37 30 - 60 seconds
High <1.0 second 22 60 - 90 seconds
Aggressive <1.0 second 15 90 - 120 seconds

Example of a Basic Connection-Rate Filtering Configuration

Sample network

Sample network

Basic configuration

Suppose that in the sample network, the administrator wanted to enable connection-rate filtering and configure the following response to high connection-rate traffic on the switch:

  • Ports B1 — B3: Throttle traffic from the transmitting hosts.

  • Port B4: Respond with notify-only to identify the transmitting hosts.

  • Ports B9, D1, and D2: Block traffic from the transmitting hosts.

This example illustrates the configuration steps and resulting startup-config file:

prev

 		 

 next

Operating Notes 

home

 Blocked hosts

Copyright © 2016 Hewlett Packard Enterprise Development LP