When the number of IP Connection exceed for a particular IP traffic, the content of the traffic is unknown to the Network Operator, in either ways the network is blind and vulnerable to potential attacks as to what it carries. Are the packets carrying legitimate payload? Do these Applications pose a significant risk of attack? How do we address this?
Connection-rate filtering based on Virus Throttle technology is a HP-developed solution that overcomes the limitations of previous responses and meets the need for rapid containment and mitigation of attacks by malicious agents.
Based on the behavior of malicious code and the ways in which that behavior differs from that of normal code. Virus Throttle is based on the observation that under normal activity, a computer will make fairly few outgoing connections to new computers, but instead is more likely to regularly connect to the same set of computers. This is in contrast to the fundamental behavior of a rapidly spreading worm, which will attempt many outgoing connections to new computers.
This approach differs from signature updates in three ways:
- It focuses on the network behavior of the virus and prevents certain types of behavior—in particular, the attempted creation of a large number of outgoing connections per second.
- It is also unique in that, instead of stopping viruses from entering a system, it restricts the code from leaving.
- Because connections exceeding the allowed rate can be blocked for configurable periods of time, the system is tolerant to false positives and is therefore robust.
How it Works - Virus Throttling?
Throttle works by intercepting all IP connection requests—that is, connections in which the source subnet and destination addresses are different. This applies to most common Layer 4-7 session and application protocols, including TCP connections, UDP packets, SMTP, IMAP, Web Proxy, HTTP, SSL and DNS—virtually any protocol where the normal traffic does not look like a virus spreading.
The Virus Throttle tracks the number of recently made connections. If a new, intercepted request is to a destination to which a connection was recently made, the request is processed as normal. If the request is to a destination that has not had a recent connection, the request is processed only if the number of recent connections is below a pre-set threshold. The threshold specifies how many connections are to be allowed over a set amount of time, thereby enforcing a connection-rate limit. If the threshold is exceeded, because requests are coming in at an unusually high rate, it is taken as evidence of a virus. This causes the throttle to stop processing requests and, instead, to notify the system administrator.
Filtering Options In the default configuration, connection-rate filtering is disabled. When enabled on a port, connection-rate filtering monitors inbound routed traffic for a high rate of connection requests from any given host on the port. If a host appears to exhibit the worm-like behavior of attempting to establish a large number of outbound IP connections (destination 5 addresses) in a short period of time, the switch responds in one of the following ways, depending on how connection-rate filtering is configured:
- Notify only of potential attack: While the apparent attack continues, the switch generates an Event Log notice identifying the offending host source address (SA) and (if a trap receiver is configured on the switch) a similar SNMP trap notice.
- Notify and reduce spreading: In this case, the switch temporarily blocks inbound routed traffic from the offending host SA for a “penalty” period and generates an Event Log notice of this action and (if a trap receiver is configured on the switch) a similar SNMP trap notice. When the penalty period expires, the switch re-evaluates the routed traffic from the host and continues to block this traffic if the apparent attack continues. (During the re-evaluation period, routed traffic from the host is allowed.)
- Block spreading: This option blocks forwarding ’of the host’s traffic on the switch. When a block occurs, the switch generates an Event Log notice and (if a trap receiver is configured on the switch) a similar SNMP trap notice. Note that system personnel must explicitly re-enable a host that has been previously blocked.
Selective enabling. This option involves applying connection-rate filtering only to ports posing a significant risk of attack. For ports that are reasonably secure from attack, there may be little benefit in configuring them with connection-rate filtering.
Connection-rate ACLs. As noted above, the basic connection-rate filtering policy is configured per-port as notify-only, throttle and block. A connection-rate ACL, consisting of a series of access control entries (ACEs), creates exceptions to these per-port policies by creating special rules for individual hosts, groups of hosts or entire subnets. Thus, the system administrator can adjust a connection-rate filtering policy to create and apply an exception to configured filters on the ports in a VLAN. Connection-rate ACLs are useful if the system administrator needs to exclude legitimate high-rate inbound traffic from the connection-rate filtering policy. For example, a server responding to network demand might send a relatively high number of legitimate connection requests. This can generate a false positive by exhibiting the same elevated connection-rate behavior as a worm. Using a connection-rate ACL to apply an exception for this server allows the administrator to exclude the trusted server from connection-rate filtering and thereby keep the server running without interruption.
Configuration Guidelines - For the ProCurve switches to apply connection-rate filters, IP routing and multiple VLANs with member ports must first be configured. System administrators can take one approach for networks that are relatively attack-free, and another for high-risk networks. The following summarizes the steps that an administrator takes to configure the switch for connection-rate filtering.
In cases where a network is relatively attack-free, the network administrator can set global sensitivity on the ProCurve switch’s connection filter to low. By monitoring event logs and SNMP trap receivers, if available, the administrator can identify hosts that show high connection rates. If the high rates are the result of legitimate activity—such as heavily used servers—then the administrator can configure connection-rate ACLs to create policy exceptions for trusted hosts. At this point, the sensitivity of the connection-rate filter can be raised to medium and the network monitored again.
For a network under likely threat of attack, connection-rate filtering steps include policies for managing the hosts that exhibit high connection rates. This allows better network performance for unaffected hosts and helps to identify hosts that may require updates or patches to eliminate malicious code. For example, the administrator is advised to set connection-rate filtering to “throttle” on all ports, with global sensitivity set to medium. Event log and SNMP trap monitoring should be conducted as above to identify hosts with high connection rates. To immediately halt an attack from a specific host, group of hosts or a subnet, the administrator should use the per-port block mode on the appropriate port or ports. After gaining control of the situation, the administrator can use connection-rate ACLs to manage traffic more selectively to allow receipt of normal routed traffic from reliable hosts.
As seen above the administrator could choose to
- Throttle potentially malicious high-rate traffic from ports B1-3.
- Notify-only in response to high-rate traffic from the more secure sources C, D and E, connected to B4.
- Immediately block high-rate traffic from potentially high-risk locations such as the company intranet, entering the VLAN via port D2.
- Use an ACL to allow known, legitimate high-rate traffic originating at sources F, G and H to pass into the VLAN at port D1.