Example: Variable dynamic throttling for scan events

Throttling allows you to discard packets when the intrusion threshold has been exceeded within a scan interval. Throttling automatically starts when the intrusion threshold is exceeded. The throttling rate automatically decrements by 10% for each successive throttled interval. This means that 10% more packets are discarded in each successive throttled interval. You can use throttling with both intrusions and extrusions.

Set throttling on the Advanced tab in IDS Policy Properties. If throttling is active and taking place at the rate of 50 percent, the first packet in the scan interval is discarded, and the second packet is allowed through. Throttling begins once the fast scan or slow scan threshold is exceeded. A threshold violation occurs when the number of scans received during a user-defined fast scan interval exceeds the fast scan threshold, or when the number of slow scans received during a user-defined slow scan interval exceeds the slow scan threshold.

If thresholds are not exceeded during a throttled interval, throttling will be active for only that interval. In this example, if the slow scan threshold is exceeded, throttling will be in effect for at least 120 minutes. If the threshold is exceeded during a throttled interval, the throttle rate is decremented by 10% to a minimum of 0%, at which time, all packets are discarded for that interval. Throttling is deactivated only when thresholds are not exceeded during a time interval.

A throttling value of 100% allows all packets through, while a throttling value of 0% stops all packets from coming through. If you want to totally shut down the source of an attack, you would set throttling to 0%.