Virus Throttle works by intercepting IP connection requests, that is, connections in which the source subnet and destination address are different. The Virus Throttle tracks the number of recently made connections. If a new, intercepted request is to a destination to which a connection was recently made, the request is processed as normal. If the request is to a destination that has not had a recent connection, the request is processed only if the number of recent connections is below a pre-set threshold. The threshold specifies how many connections are to be allowed over a set amount of time, thereby enforcing a connection rate limit. If the threshold is exceeded, because requests are coming in at an unusually high rate, it is taken as evidence of a virus. This causes the throttle to stop processing requests and, instead, to notify the system administrator.

This capability can be applied to most common Layer 4 through 7 session and application protocols, including TCP connections, UDP packets, SMTP, IMAP, Web Proxy, HTTP, SSL, and DNS— virtually any protocol where the normal traffic does not look like a virus spreading. For Virus Throttle to work, IP routing and multiple VLANs with member ports must first be configured.

Note that some protocols, such as NetBIOS and WINS, and some applications such as network management scanners, notification services, and p2p file sharing are not appropriate for Virus Throttle. These protocols and applications initiate a broad burst of network traffic that could be misinterpreted by the Virus Throttle technology as a threat.

On the HP ProCurve Switch 5400zl, 3500yl, and 6200yl series, Virus Throttle is implemented through connection-rate filtering. When connection-rate filtering is enabled on a port, the inbound routed traffic is monitored for a high rate of connection requests from any given host on the port. If a host appears to exhibit the worm-like behavior of attempting to establish a large number of outbound IP connections in a short period of time, the switch responds one the basis of how connection-rate filtering is configured.

52

Page 52
Image 52
HP 3500yl, 5200zl manual