Computer virus epidemics are only getting worse. Remember back in 2003, the SQL Slammer worm infected 75,000 computers in one minute, making it the fastest-moving virus yet seen and caused major network disruptions worldwide. Nimbda, Blaster, Code Red, Sasser and Welchia are continual threats as well. Today, computer users are directly threatened by more than 97,000 viruses, worms, and Trojan horses.

The Limitations of Current Responses

This latency between the introduction of a new virus or worm into a network and the implementation and distribution of a signature-based patch can be significant. Within this period, a network can be crippled by the abnormally high rate of traffic generated by infected hosts. As long as attacks occur at "machine speed" and responses are implemented at "human speed," computers will essentially be defenseless against new threats. As systems get bigger and more complex, so does the problem of addressing new threats.

Rather than replacing current, signature-and-patch-based protections, the new solution would complement them by allowing computers and humans to each do what they do best: computers can respond far more quickly than people, but are poor at gauging the nature of a previously unknown threat. Humans are good at making such decisions, but are slow--by machine.

Virus-Throttling: What it is

The idea behind the virus throttle is to put a rate limit on connections to new computers, such that normal traffic remains unaffected but suspect traffic that attempts to spread faster than the allowed rate will be slowed. This creates large backlogs of connection requests that can be easily detected.

This approach differs from signature-and-patch approaches in three key ways:

• It focuses on the network behavior of the virus and prevents certain types of behavior--in particular, the attempted creation of a large number of outgoing connections per second.
• It is also unique in that, instead of stopping viruses from entering a system, it restricts the code from leaving.
• Because connections over the allowed rate can be blocked for configurable periods of time, the system is tolerant to false-positives and is therefore robust.

How it Works

Virus throttling works by intercepting IP-routed connection requests, that is, connections crossing VLAN boundaries, in which the source subnet and destination subnet are different. This applies to most common layer 4-7 session and application protocols, including TCP connections, UDP packets, SMTP, IMAP, Web Proxy, HTTP, SSL, and DNS--virtually any protocol where the normal traffic does not look like a virus spreading. For virus throttling to work, IP routing and multiple VLANs with member ports must first be configured. The virus throttle tracks the number of recently made connections. If a new, intercepted request is to a destination to which a connection was recently made, the request is processed as normal.

System administrators can configure this technology to throttle or completely block suspect traffic, or merely to notify administrators of potential threats. By slowing or blocking suspect traffic until administrators have time to act, connection-rate filtering adds a crucial tool to the defenses of today's networks.

For more information, contact Paul Sorge - HP ProCurve Networking Sales rep at 631-755-3147 or go to www.procurve.com.