Configuring connection-rate filtering for high risk networks

This procedure is similar to the general steps required for a relatively attack free network, except for policies suggested for managing hosts exhibiting high connection rates. This allows better network performance for unaffected hosts and helps to identify hosts that can require updates or patches to eliminate malicious code.

  1. Configure connection-rate filtering to throttle on all ports.

  2. Set global sensitivity to medium.

  3. If SNMP trap receivers are available in your network, use the snmp-server command to configure the switch to send SNMP traps.

  4. Monitor the Event Log or the available SNMP trap receivers (if configured on the switch) to identify hosts exhibiting high connection rates.

  5. Check any hosts that exhibit relatively high connection rate behavior to determine whether malicious code or legitimate use is the cause of the behavior.

  6. On hosts you identify as needing attention to remove malicious behavior:

    • To immediately halt an attack from a specific host, group of hosts, or a subnet, use the per-port block mode on the appropriate ports.

    • After gaining control of the situation, you can use connection-rate ACLs to more selectively manage traffic to allow receipt of normal traffic from reliable hosts.