ProCurve 5300xl Specifications download pdf (Page 18)

connections to new computers, but instead is more likely to regularly connect to the same set of

computers. This is in contrast to the fundamental behavior of a rapidly spreading worm, which

will attempt many outgoing connections to new computers. For example, while computers

normally make approximately one connection per second, the SQL Slammer virus tries to infect

more than 800 computers per second.

Virus-throttling works by intercepting IP-routed connection requests, that is, connections

crossing VLAN boundaries, in which the source subnet and destination subnet are different. The

virus throttle tracks the number of recently made connections. If a new, intercepted request is

to a destination to which a connection was recently made, the request is processed as normal.

If the request is to a destination that has not had a recent connection, the request is processed

only if the number of recent connections is below a pre-set threshold. The threshold specifies

how many connections are to be allowed over a set amount of time, thereby enforcing a

connection rate limit. If the threshold is exceeded, because requests are coming in at an

unusually high rate, it is taken as evidence of a virus. This causes the throttle to stop processing

requests and, instead, to notify the system administrator.

This applies to most common layer 4-7 session and application protocols, including TCP

connections, UDP packets, SMTP, IMAP, Web Proxy, HTTP, SSL, and DNS—virtually any protocol

where the normal traffic does not look like a virus spreading. For virus-throttling to work, IP

routing and multiple VLANs with member ports must first be configured.

(Some protocols, such as NetBIOS and WINS, and some applications such as network

management scanners, notification services and p2p file sharing are not appropriate for virus-

throttling, because they initiate a broad burst of network traffic that could be misinterpreted by

virus-throttling technology as a threat).

5300xl with Routing

Configured

Networked

Servers

Devices on VLAN 3

Infected with Worm-

Like Malicious Code

Intranet

VLAN 1

VLAN 2

VLAN 3

5300xl with Routing

Configured

Networked

Servers

Devices on VLAN 3

Infected with Worm-

Like Malicious Code

Intranet

VLAN 1

VLAN 2

VLAN 3

Figure 3. Throttling virus movements across VLANs

In 5300xl Switch Series, virus throttling is implemented through connection-rate filtering. When

the connection-rate filtering is enabled on a port, the inbound routed traffic is monitored for a

high rate of connection requests from any given host on the port. If a host appears to exhibit

the worm-like behavior of attempting to establish a large number of outbound IP connections

(destination addresses, or DAs) in a short period of time, the switch responds depending on how

connection-rate filtering is configured.

Response options

The response behavior of connection-rate filtering can be adjusted by using Filtering options.

When a worm-like behavior is detected, the connection-rate filter can respond to the threats on

the port by

• Notify only of potential attack: While the apparent attack continues, the switch generates

an Event Log notice identifying the offending host source address (SA) and (if a trap receiver

is configured on the switch) a similar SNMP trap notice.

1 2 ... 13 14 15 16 17 18 19 20 21 22 23 ... 35 36

Comments to this Manuals

No comments

ProCurve 5300xl Specifications Page 18

Comments to this Manuals

Related products and manuals for Network switches ProCurve 5300xl