Example: Variable dynamic throttling for traffic regulation events
This is an example of how to set variable dynamic throttling for a traffic regulation policy to limit or deny intrusions.
Suppose you have created the following traffic regulation policy with throttling set to 50 percent. An intrusion event is generated when the number of established TCP connections exceeds 1000 connections, or exceeds 10% of the total number of connections to the system during a 10-minute interval. The maximum number of event messages during each statistics interval is 1. At this point, throttling begins. Input from all IP addresses coming in on port 80 is cut back to just 50% for 10 minutes (the statistics interval). During this time period, IDS keeps statistics for the given protocol, range of IP addresses, and ports. After the statistics interval ends, IDS evaluates whether to continue to throttle during the next 10-minute interval, based on the statistics gathered during the throttled interval.
Setting | Value |
---|---|
Policy name | TR_policy2 |
Policy type | Traffic regulation (TCP) |
Threshold for the total number of TCP connections | 1000 |
TCP connection percentage | 10 |
Local IP addresses | All IP addresses |
Local ports | 80 |
Remote IP addresses | All IP addresses |
Remote ports | All ports |
Statistics interval | 10 minutes |
Maximum event messages | 1 |
Throttling | 50% |