Configuring connection-rate filtering for high risk networks
This procedure is similar to the general steps required for a relatively attack free network, except for policies suggested for managing hosts exhibiting high connection rates. This allows better network performance for unaffected hosts and helps to identify hosts that can require updates or patches to eliminate malicious code.
Configure connection-rate filtering to
throttle
on all ports.Set global sensitivity to
medium
.If SNMP trap receivers are available in your network, use the
snmp-server
command to configure the switch to send SNMP traps.Monitor the Event Log or the available SNMP trap receivers (if configured on the switch) to identify hosts exhibiting high connection rates.
Check any hosts that exhibit relatively high connection rate behavior to determine whether malicious code or legitimate use is the cause of the behavior.
On hosts you identify as needing attention to remove malicious behavior:
To immediately halt an attack from a specific host, group of hosts, or a subnet, use the per-port block mode on the appropriate ports.
After gaining control of the situation, you can use connection-rate ACLs to more selectively manage traffic to allow receipt of normal traffic from reliable hosts.