Response Options; Sensitivity; Connection-Rate Acl - HP ProCurve 3500-24 Reference Manual

66
On the HP ProCurve Switch 8200zl, 5400zl, 3500, and 6200yl series, Virus Throttle is implemented through
connection-rate filtering . When connection-rate filtering is enabled on a port, the inbound routed traffic is
monitored for a high rate of connection requests from any given host on the port . If a host appears to exhibit
the worm-like behavior of attempting to establish a large number of outbound IP connections in a short period
of time, the switch responds on the basis of how connection-rate filtering is configured .

Response options

The response behavior of connection-rate filtering can be adjusted by using filtering options . When a worm-like
behavior is detected, the connection-rate filter can respond to the threats on the port in the following ways:
• Notify only of potential attack: While the apparent attack continues, the switch generates an Event Log notice
identifying the offending host source address (SA) and (if a trap receiver is configured on the switch) a similar
SNMP trap notice .
• Notify and reduce spreading: In this case, the switch temporarily blocks inbound routed traffic from the
offending host source address for a "penalty" period and generates an Event Log notice of this action and
a similar SNMP trap notice if a trap receiver is configured on the switch . When the penalty period expires,
the switch re-evaluates the routed traffic from the host and continues to block this traffic if the apparent attack
continues . During the re-evaluation period, routed traffic from the host is allowed .
• Block spreading: This option blocks routing of the host's traffic on the switch . When a block occurs, the switch
generates an Event Log notice and a similar SNMP trap notice if a trap receiver is configured on the switch .
Note that system personnel must explicitly re-enable a host that has been previously blocked .

Sensitivity

The ability of connection-rate filtering to detect relatively high instances of connection-rate attempts from a given
source can be adjusted by changing the global sensitivity settings . The sensitivity can be set to low, medium,
high, or aggressive as described here:
• Low: sets the connection-rate sensitivity to the lowest possible sensitivity, which allows a mean of 54 routed
destinations in less than 0 . 1 seconds, and a corresponding penalty time for Throttle mode (if configured) of
less than 30 seconds
• Medium: sets the connection-rate sensitivity to allow a mean of 37 routed destinations in less than 1 second,
and a corresponding penalty time for Throttle mode (if configured) between 30 and 60 seconds
• High: sets the connection-rate sensitivity to allow a mean of 22 routed destinations in less than 1 second, and
a corresponding penalty time for Throttle mode (if configured) between 60 and 90 seconds
• Aggressive: sets the connection-rate sensitivity to the highest possible level, which allows a mean of 15
routed destinations in less than 1 second, and a corresponding penalty time for Throttle mode (if configured)
between 90 and 120 seconds

Connection-rate ACL

Connection-rate ACLs are used to exclude legitimate high-rate inbound traffic from the connection-rate filtering
policy . A connection-rate ACL, consisting of a series of access control entries, creates exceptions to these per-
port policies by creating special rules for individual hosts, groups of hosts, or entire subnets . Thus, the system
administrator can adjust a connection-rate filtering policy to create and apply an exception to configured filters
on the ports in a VLAN .