IDS traffic regulation (TR) policies for TCP ports limit the total number of connections an application has active at one time. This can be used to limit the number of address spaces created by forking applications such as FTPD and otelnetd. A fair share algorithm is also provided based on the percentage of remaining available connections already held by a source IP address.
The percentage is applied against the number of available connections for the port. Therefore, as fewer connections become available, each host is allowed fewer new connections. The percentage is applied against the number of available connections, rather than the total number of connections allowed, in order to allow access to a larger number of different hosts when resources are low.
When a host requests a connection, the number of connections it currently holds for the port is compared to the percentage applied to the connections currently available for the port. If the number currently held is less than the percentage of currently available connections, the host is allowed to open an additional connection. If equal or greater, the host is not allowed to open further connections until more connections are freed up. All connection requesters for the port are regulated by this mechanism. If a host does not currently have any connections open on the port and unused connections are available, a host will always be allowed at least 1 connection. Multi-user source IP addresses can be allowed a larger number of connections by specifying a QoS policy with a higher number of connections (MaxConnections) than allowed by the TR policy. TR will honor the QoS differentiated services policy if the port is not in a constrained state. A QoS exception is made only when QoS differentiated service policy is applied for the specific source server port and specific outbound client destination IP address; if either of these attributes specify a range or are null, the QoS exception will not be made.
TR TCP generates a Constrained Event when a port reaches about 90% of its Connection Limit. An Unconstrained Event is generated when the port falls below about 88% of its limit. An IDS correlator is assigned for the duration of each constrained state. If tracing is requested in the policy, the first 100 packets that exceed the limit in each constrained state are traced along with the correlator. TR TCP also generates events for each connection allowed because of a QoS override policy and for each connection denied for exceeding either the application's connection limit or the percent available limit.
To prevent possible flooding of syslog, TR TCP limits the number of connection refused, would have been refused, or QOS exception log records written in a five minute interval. For a listening port, a maximum of 100 of these log records are written within a five minute interval. Globally, TR TCP writes a maximum of 1000 of these log records within a five minute interval. If a log record was not written due to these limits, the count of refused or would have been refused connection log records that were not logged is recorded in the EZZ8660I TRMD TCP connection log records suppressed log message after the five minute interval ends. Similarly, the count of QOS exception records that were not written is recorded in the EZZ8661I TRMD TCP QOS exception log records suppressed log message.
TCP traffic regulation policy applies to IPv4 and IPv6.