Section: vt-ng (1)
Updated: 18 October 2007


vt-ng - virus throttling daemon


You can get the source from sourceforge



vt-ng <options>
[ -c --config]
[ -h --help]
[ -d --default-delay value]
[ -t --default-hot-hosts value]
[ -q --default-queue-size value]
[ --default-high-watermark value]
[ --default-low-watermark value]
[ -a --default-alert-script script]
[ -s --simulation]
[ -p --print-stat]
[ --debug]
[ --log-to-stdout]



vt-ng detects virus and worm like activity based on communication patterns; It can be used to (1) detect infected hosts within your internal network and (2) stop the spread of maleware.

Detection is based on the fact that maleware usually tries to initiate many connection to the out side network, for various reasons. May it be to "phone home", download further maleware or scan the net for other vulnerable hosts.

The most common setup of vt-ng is on a gateway machine, such that all traffic originating in your internal network passes through vt-ngd (the vt-ng daemon). However, vt-ng may be installed on a single host, protecting this single host. We will call the machine on which vt-ng is installed the throttler

vt-ng operates in the following way; for each IP address, ip, in the internal network, vt-ngd associates a packet queue. Each time a packet, p, either a UDP packet or a packet initiating a TCP connection, passes through the throttler, p is first transferred to vt-ngd. This is done with the help of the QUEUE target of iptables(8). When vt-ngd receives a packet p, vt-ngd follows the following rules:

check if the packet queue associated with the source address of p is throttled. If it is throttled, drop the packet. That is, inform the kernel to drop p and not send it.
if the queue is not throttled, accept p. That is, pass p back to the kernel for transmission.
Insert p into the packet queue, with a configurable delay, say 2 seconds.
If the packet queue is now either full or above a certain high-watermark, the packet queue is marked as throttled.

Repeatedly, vt-ngd inspects all of the packet queues and removes packets which "served their time". E.g, if a packet was placed in a queue for a duration of 2 seconds, and at least 2 seconds have gone by, dequeue the packet from the queue. If the queue was marked as throttled, and the queue size is now below a certain low-watermark, vt-ngd un-throttles the queue.



-h, --help
Print the usage syntax.
-c, --config
Specify a config file. A sample config file is provided in the distribution package.
-d, --default-delay value
The default time duration each packet is placed in a queue. Specific delays for specific IP addresses may be configured via the config file.
-q, --default-queue-size value
The default packet queue size. Specific queue sizes for specific IP addresses may be configured via the config file.
--default-high-watermark value
The default high-watermark value. Specific values for specific IP addresses be may be configured via the config file.
--default-low-watermark value
The default low-watermark value. Specific values for specific IP addresses be may be configured via the config file.
-t, --default-hot-hosts value
A list of the most recent IP addresses to which packets were destined is saved for each source IP. For each packet, prior to processing the packet, the destination address is inspected. If the destination packet is in the list, the packet is accepted and the queue logic is not observed.
-a, --default-alert-script script
Whenever a queue is throttled, this script is called. The following arguments are passed:
start/stop --> indicating if activity has started or stopped.
ip --> the originating ip which triggerred the detection.
port --> the associated port
ip --> the destination ip
port --> the destination port
Different scripts for different source IP addresses may be specified in the config file. If no script is present either as default or for a specific ip, none will be executed.
-s, --simulation
Run in simulation mode. Never drop packets, but act as if you do.
-p, --print-stat
Print a status report to the console.
Run in debugging mode. Print more verbose information to the log.
Log to stdout in addition to syslog.



Nir Tzachar <nir.tzachar@gmail.com>
Based on a discontinued hp product, called hp-vt



Visit my homepage
This document was created by man2html, using the manual pages.
Time: 18:37:54 GMT, October 25, 2007