Traffic regulation events

Traffic regulation policies monitor the established TCP connections, User Datagram Protocol (UDP) errors, and System SSL/TLS failed handshakes. The policies can be configured on all or specific IP addresses and ports.

A traffic regulation policy might look for an inordinate number of connections to a certain range of addresses, ports, or applications, or a denial-of-service attack on a system. A traffic regulation policy also can catch User Datagram Protocol (UDP) errors.

Sometimes a high rate of network traffic indicates that many legitimate users or applications are accessing the system at the same time, rather than a hacker trying to tie up the network. If you determine that normal network traffic is generating traffic regulation events, you can adjust the traffic regulation policy accordingly.

UDP is an Internet Protocol that provides unreliable, connectionless datagram service. It enables an application program on one machine or process to send a datagram to an application program on another machine or process. IDS detects the following types of UDP traffic regulation events:
  • Socket errors.
  • Not connected to the sender.
  • Not enough room for the datagram (buffer overflow).

A System SSL/TLS traffic regulation policy allows the user to configure a threshold for the number of System SSL/TLS failed handshakes for a range of IP addresses and ports. When the System SSL/TLS failed handshake threshold is exceeded for the configured policy, a traffic regulation type event log is created to notify the administrator of the suspected event. Any System SSL/TLS application (using GSKit, SSL_, or IBM® i JSSE implementation) that fails any part of the SSL/TLS handshake negotiation notifies IDS of the failed handshake. A set of SSL/TLS-related vulnerabilities or attack vectors require a significant number of handshake attempts to slowly learn information about the encrypted data or keys that are used for a secure session. In some but not all cases this style of attack can be noticed by failed handshake attempts. Configuring a System SSL/TLS traffic regulation can limit the number of times the attacker can try a partial handshake, so the attack vector is noticed and mitigated. If throttling is enabled for a System SSL/TLS traffic regulation policy, IDS prevents incoming connections that match the configured policy when the System SSL/TLS failed handshake threshold is exceeded. By stopping the incoming connection, the suspected malicious handshake is prevented. For more information about throttling, see Intrusion detection and prevention.