 |
|
|
Threshold Filters: Statistical Anomaly ControlThreshold filters such as statistical anomaly filters examine multi-flow information to detect abnormal traffic conditions. These threshold filters can detect reconnaissance and distributed denial of service attacks or unknown attack-types that produce unusual traffic patterns. TippingPoint Intrusion Prevention Systems and Threshold FiltersTippingPoint Intrusion Prevention System threshold filters establish a baseline of "normal" traffic levels by monitoring network traffic for a specified number of hours or days. Threshold filters are configured to take specified actions when the traffic rises above or drops below a threshold. For maximum flexibility, four thresholds are available from TippingPoint Technologies: "minor" and "major" thresholds either above or below normal. For example, suppose the normal level of ICMP traffic is 2 Mbps. An administrator could configure two thresholds: one to send an e-mail to the administrator's pager when ICMP traffic rises to 200% of normal level and another to rate shape the traffic when it rises to 350% of normal. The graph below shows the effect of the TippingPoint IPS when ICMP traffic begins to rise.
TippingPoint Technologies’ Threshold Filters Real Case ScenarioReal Case Scenario: The Nachi worm brought core routers to their knees by flooding the network with ICMP traffic. During a routine sales call, TippingPoint Technologies was called into an emergency meeting with the CSO and asked to install an evaluation unit in a customers network because the network was crashing every 30 minutes due to excessive CPU load (>95%) on the router. Immediately after installing the TippingPoint IPS on the customers network, the CPU utilization of the router dropped to 3% and network stability was restored. |
