Traffic regulation events
Traffic regulation policies monitor the established TCP connections, User Datagram Protocol (UDP) errors, and System SSL/TLS failed handshakes. The policies can be configured on all or specific IP addresses and ports.
A traffic regulation policy might look for an inordinate number of connections to a certain range of addresses, ports, or applications, or a denial-of-service attack on a system. A traffic regulation policy also can catch User Datagram Protocol (UDP) errors.
Sometimes a high rate of network traffic indicates that many legitimate users or applications are accessing the system at the same time, rather than a hacker trying to tie up the network. If you determine that normal network traffic is generating traffic regulation events, you can adjust the traffic regulation policy accordingly.
- Socket errors.
- Not connected to the sender.
- Not enough room for the datagram (buffer overflow).
A System SSL/TLS traffic regulation policy allows the user to configure a threshold for the number of System SSL/TLS failed handshakes for a range of IP addresses and ports. When the System SSL/TLS failed handshake threshold is exceeded for the configured policy, a traffic regulation type event log is created to notify the administrator of the suspected event. Any System SSL/TLS application (using GSKit, SSL_, or IBM® i JSSE implementation) that fails any part of the SSL/TLS handshake negotiation notifies IDS of the failed handshake. A set of SSL/TLS-related vulnerabilities or attack vectors require a significant number of handshake attempts to slowly learn information about the encrypted data or keys that are used for a secure session. In some but not all cases this style of attack can be noticed by failed handshake attempts. Configuring a System SSL/TLS traffic regulation can limit the number of times the attacker can try a partial handshake, so the attack vector is noticed and mitigated. If throttling is enabled for a System SSL/TLS traffic regulation policy, IDS prevents incoming connections that match the configured policy when the System SSL/TLS failed handshake threshold is exceeded. By stopping the incoming connection, the suspected malicious handshake is prevented. For more information about throttling, see Intrusion detection and prevention.