Article ID: 5289
Flow Setup Throttling
Flow Setup Throttling is a software feature which increases network security and reliability.
The FST processes are controlled and monitored by means of the enterasys-flow-limiting-mib.
Denial of Service (DoS) attacks on the network generate a large amount traffic in a very short period of time, which blocks the normal enterprise traffic. Uncontrolled, Denial of Service (DoS) attacks can essentially paralyze the entire enterprise network in a matter of minutes.
Flow Setup Throttling directly combats the effects of Denial of Service (DoS) attacks by allowing the network administrator to limit the number of new or established flows that can be programmed on any individual switch port. This is achieved by monitoring the new flow arrival rate and/or controlling the maximum number of allowable flows. Flow Setup Throttling is a proactive software feature designed to mitigate Denial of Service (DoS) and Distributed Denial of Service (DDoS) attacks before the virus can wreak havoc on the network. This feature, combined with other Enterasys Networks tools, can clearly slow down and even stop viruses before the network pipe is saturated. Enterasys Networks not only preserves critical network bandwidth, but alleviates some of the burdensome activities associated with repairing stations. Network administrators are now empowered through the use of the NetSight Atlas network management platform to define and control an acceptable use policy for individuals or groups of stations on their network.
FST is supported in the following products, with characteristics as stated.
Minimum Flow Timeout Gen Drp Crt Dis Rte
f/w default (sec) Not Exc Dsc Int Act
Matrix E1 3.02.08 30 (variable) Y N Y Y N
E7 2nd/3rd Gen 5.07.11 300 (=SAT Age) Y Y Y Y Y
Matrix-N DFE 4.00.50 40 (fixed) Y N Y Y N
"Gen Not" = can Generate Notifications?
"Drp Exc" = can Drop Excess Flows?
"Crt Dsc" = can Create Discard Flows?
"Dis Int" = can Disable the Interface?
"Rte Act" = can setup Rate-Based Actions?
[/code]A flow is unidirectional, and is defined after the first packet is encountered. A network conversation thus consists of two separate flows, one in each direction. Upon inactivity, a given flow times out after a product-specific interval.
See also: 5626