Appendix F: Virus Throttle Security - HP ProCurve 3500-24 Reference Manual

LLDP-MED endpoint devices are located at the network edge and communicate using the LLDP-MED framework .
Any LLDP-MED endpoint device belongs to one of the following three classes:
• Class 1 (Generic Endpoint Devices): These devices offer the basic LLDP discovery services, network policy
advertisement (VLAN ID, Layer 2/802 . 1 p priority, and Layer 3/DSCP priority), and PoE management . This
class includes such devices as IP call controllers and communication-related servers .
• Class 2 (Media Endpoint Devices): These devices offer all Class 1 features plus media streaming capability,
and include such devices as voice/media gateways, conference bridges, and media servers .
• Class 3 (Communication Devices): These devices are typically IP phones or end-user devices that otherwise
support IP media and offer all Class 1 and Class 2 features, plus location identification and emergency 911
capability, Layer 2 switch support, and device information management .

Appendix F: Virus Throttle security

Virus Throttle is based on the detection of anomalous behavior of network traffic that differs from a normal
activity . Under normal activity, a computer will make fairly few outgoing connections to new computers, but
instead is more likely to regularly connect to the same set of computers . This is in contrast to the fundamental
behavior of a rapidly spreading worm, which will attempt many outgoing connections to new computers . For
example, while computers normally make approximately one connection per second, the SQL Slammer virus
tries to infect more than 800 computers per second .
Virus Throttle works by intercepting IP connection requests, that is, connections in which the source subnet and
destination address are different . The Virus Throttle tracks the number of recently made connections . If a new,
intercepted request is to a destination to which a connection was recently made, the request is processed as
normal . If the request is to a destination that has not had a recent connection, the request is processed only if
the number of recent connections is below a pre-set threshold . The threshold specifies how many connections
are to be allowed over a set amount of time, thereby enforcing a connection rate limit . If the threshold is
exceeded, because requests are coming in at an unusually high rate, it is taken as evidence of a virus . This
causes the throttle to stop processing requests and, instead, to notify the system administrator .
This capability can be applied to most common Layer 4 through 7 session and application protocols, including
TCP connections, UDP packets, SMTP, IMAP, Web Proxy, HTTP, SSL, and DNS—virtually any protocol where
the normal traffic does not look like a virus spreading . For Virus Throttle to work, IP routing and multiple VLANs
with member ports must first be configured .
Note that some protocols, such as NetBIOS and WINS, and some applications such as network management
scanners, notification services, and p2p file sharing are not appropriate for Virus Throttle . These protocols
and applications initiate a broad burst of network traffic that could be misinterpreted by the Virus Throttle
technology as a threat .
Figure A6.
VLAN 1
VLAN 2
VLAN 3
65