Under attack! Need help with IPS

Unanswered Question
Apr 13th, 2008

Some guy is coming to our site and demanding a payoff or he will DDoS us. We didn't pay him and he did what he said he was going to do. I expect another attack at any time.

The flood was only 10Mb, but our cisco was not tuned as good as it could be. I think with the better config, I will be able to simply absorb it using TCP intercept and IPS.

I found a good attack signature that I would like to use IPS for, to keep the packet from the web servers completely.

I am trying to setup the cisco IPS on the front facing interface of a

3845 router. Every time I enable the IPS, no packets are allowed to

pass through the router. w/out IPS, everything works fine (except

there is no IPS). The moment I enable it, nothing can get through.

I have:

ip ips sdf location flash://sdmips.sdf

ip ips sdf location flash://256MB.sdf autosave

ip ips name sdm_ips_rule_IPS list IPS



interface GigabitEthernet0/0

ip address <--- edited for the example

ip access-group gigabitethernet0/0_in in

ip access-group sdm_gigabitethernet0/0_out out

ip verify unicast reverse-path

no ip redirects

no ip unreachables

no ip proxy-arp

ip ips sdm_ips_rule_IPS in

ip virtual-reassembly

ip route-cache flow

duplex auto

speed auto

media-type sfp

no mop enabled

crypto map SDM_CMAP_1

crypto ipsec df-bit clear





ip access-list extended IPS

remark SDM_ACL Category=1

permit tcp any host eq www <--- just a test host on our

network. www packets are being blocked

If I change the ACL to deny, then everything passes just fine. It's

only when I change the ACL to send packets through the IPS that it

stops cold.

Does anyone have an idea what the problem might be?

thank you,

Syed Fayum

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (1 ratings)
mhellman Mon, 04/14/2008 - 06:30

if you are legitimately being blackmailed, you should probably get the authorities involved. Here in the US, that would be the FBI. Hopefully you have an equivalent. The chances that an IPS at the last mile is going to be effective against a botnet DDoS seems pretty unlikely. I would recommend working with your Internet Service Provider to see what help they can offer.

rhermes Mon, 04/14/2008 - 07:28

mhellman is correct, you can not protect yourself against a DDoS attack from your end. As long as the attacker has more bandwidth of attack traffic than you have in internet access, your internet access will be filled and rendered useless. Some ISP's offer DDoS scrubbing services. If your attacker is only using a few hosts your ISP may filter their IPs.


This Discussion