Example: Variable dynamic throttling for scan events
This is an example of how to set variable dynamic throttling for a scan policy. If your system is being attacked, you can set up throttling to limit or deny intrusions.
Throttling allows you to discard packets when the intrusion threshold has been exceeded within a scan interval. Throttling automatically starts when the intrusion threshold is exceeded. The throttling rate automatically decrements by 10% for each successive throttled interval. This means that 10% more packets are discarded in each successive throttled interval. You can use throttling with both intrusions and extrusions.
- A connection attempt is made to nonlistening ports 26 to 136 from remote IP addresses in the range of 9.0.0.0 to 9.255.255.255.
- If fast scans occur at a rate of five for a 1-minute interval, or if slow scans occur at a rate of 10 for an interval of 120 minutes.
Set throttling on the Advanced tab in IDS Policy Properties. If throttling is active and taking place at the rate of 50 percent, the first packet in the scan interval is discarded, and the second packet is allowed through. Throttling begins once the fast scan or slow scan threshold is exceeded. A threshold violation occurs when the number of scans received during a user-defined fast scan interval exceeds the fast scan threshold, or when the number of slow scans received during a user-defined slow scan interval exceeds the slow scan threshold.
If thresholds are not exceeded during a throttled interval, throttling will be active for only that interval. In this example, if the slow scan threshold is exceeded, throttling will be in effect for at least 120 minutes. If the threshold is exceeded during a throttled interval, the throttle rate is decremented by 10% to a minimum of 0%, at which time, all packets are discarded for that interval. Throttling is deactivated only when thresholds are not exceeded during a time interval.
A throttling value of 100% allows all packets through, while a throttling value of 0% stops all packets from coming through. If you want to totally shut down the source of an attack, you would set throttling to 0%.
Setting | Value |
---|---|
Policy name | Scan_policy2 |
Policy type | Scan |
Fast scan interval | 1 minute |
Fast scan threshold | 5 |
Slow scan interval | 120 minutes |
Slow scan threshold | 10 |
Local IP addresses | All IP addresses |
Local ports | All ports |
Remote IP addresses | 9.0.0.0 to 9.255.255.255 |
Remote ports | 26 to 136 |
Maximum event messages | 5 |
Throttling | 50% |