Variable dynamic throttling

You can specify variable dynamic throttling in each intrusion detection (IDS) policy. If an enabled IDS policy has throttling specified, throttling occurs after a suspected intrusion or extrusion has occurred and certain thresholds have been reached. Variable dynamic throttling starts discarding packets when a threshold has been exceeded within a given statistics or scan interval.

Consider using variable dynamic throttling when a specific intrusion detection policy is generating a lot of intrusion events to prevent overloading the system with what might be a denial-of-service (DoS) attack.

If you specify variable dynamic throttling for an IDS policy, throttling applies to all IP addresses in that policy. To avoid blocking valid connections to your system, you should not specify variable dynamic throttling before you see a number of intrusion events from a given IP address. You should only specify variable dynamic throttling on a single suspicious address or a limited range of IP addresses.

After you see a number of intrusion events from a given IP address, you can compose an IDS policy that specifies variable dynamic throttling for that IP address. In the policy, you specify that throttling should be activated when the thresholds that you specified in the policy have been exceeded. This minimizes the possibility that throttling would block valid connections and maximize its effect on potential intruders.

After the Maximum number of events to log threshold is reached within the interval, variable dynamic throttling begins. If scans continue to be a problem, throttling continues through the next interval.

IDS throttling is both variable and dynamic. Throttling is dynamic in that it goes into effect as soon as a threshold is exceeded. Throttling is variable in that the rate of dropping packets increases as thresholds continue to be exceeded in successive intervals.

For example, if you throttle at 100%, which is the default value, all of the packets that conform to the policy port and IP address ranges are allowed through until a threshold is exceeded twice in a row. In all cases, when a threshold has been exceeded during a throttled interval, the throttling rate is automatically decremented by 10%. If you throttle at 100%, a second throttled interval allows only 9 out of 10 packets through. If you throttle at 50%, 1 out of every 2 packets within the interval is discarded. If you throttle at 0%, all packets are discarded for the throttled interval.

If you specified throttling in your IDS policy, it starts automatically when a threshold is exceeded and gets decremented by 10% for each successive throttled interval. You can use throttling with both intrusions and extrusions.