HP 5400zl Series Technical Overview page 52
Hide thumbs
Also See for 5400zl Series:
- Reference manual (765 pages) ,
- Installation and getting started manual (135 pages) ,
- Quickspecs (101 pages)
Table of Contents
Advertisement
Virus Throttle works by intercepting IP connection requests, that is, connections in which the source
subnet and destination address are different. The Virus Throttle tracks the number of recently made
connections. If a new, intercepted request is to a destination to which a connection was recently made,
the request is processed as normal. If the request is to a destination that has not had a recent
connection, the request is processed only if the number of recent connections is below a pre-set
threshold. The threshold specifies how many connections are to be allowed over a set amount of time,
thereby enforcing a connection rate limit. If the threshold is exceeded, because requests are coming in
at an unusually high rate, it is taken as evidence of a virus. This causes the throttle to stop processing
requests and, instead, to notify the system administrator.
This capability can be applied to most common Layer 4 through 7 session and application protocols,
including TCP connections, UDP packets, SMTP, IMAP, Web Proxy, HTTP, SSL, and DNS—
virtually any protocol where the normal traffic does not look like a virus spreading. For Virus Throttle
to work, IP routing and multiple VLANs with member ports must first be configured.
Note that some protocols, such as NetBIOS and WINS, and some applications such as network
management scanners, notification services, and p2p file sharing are not appropriate for Virus Throttle.
These protocols and applications initiate a broad burst of network traffic that could be misinterpreted
by the Virus Throttle technology as a threat.
On the HP ProCurve Switch 5400zl, 3500yl, and 6200yl series, Virus Throttle is implemented through
connection-rate filtering. When connection-rate filtering is enabled on a port, the inbound routed traffic
is monitored for a high rate of connection requests from any given host on the port. If a host appears to
exhibit the worm-like behavior of attempting to establish a large number of outbound IP connections in
a short period of time, the switch responds one the basis of how connection-rate filtering is configured.
52
- Quick Links:
- Provision Asic Cpu
Hide quick links:
Advertisement
Table of Contents
