Threshold Filters: Statistical Anomaly Control
Statistical anomaly filters examine multi-flow information to detect abnormal traffic
conditions. These filters can detect reconnaissance and distributed denial of service
attacks or unknown attack-types that produce unusual traffic patterns.
TippingPoint threshold filters establish a baseline of "normal" traffic levels by monitoring
network traffic for a specified number of hours or days. Threshold filters are configured
to take specified actions when the traffic rises above or drops below a threshold. For
maximum flexibility, four thresholds are available: "minor" and "major" thresholds either
above or below normal.
For example, suppose the normal level of ICMP traffic is 2 Mbps. An administrator could
configure two thresholds: one to send an e-mail to the administrator's pager when ICMP
traffic rises to 200% of normal level and another to rate shape the traffic when it
rises to 350% of normal. The graph below shows the effect of the TippingPoint IPS when ICMP
traffic begins to rise.
Real Case Scenario: The Nachi worm brought core routers to their knees by flooding
the network with ICMP traffic. During a routine sales call, TippingPoint was called into an
emergency meeting with the CSO and asked to install an evaluation unit in a customers network
because the network was crashing every 30 minutes due to excessive CPU load (>95%) on the
router. Immediately after installing the TippingPoint IPS on the customers network, the CPU utilization
of the router dropped to 3% and network stability was restored.
RSS FEEDS