Some guy is coming to our site and demanding a payoff or he will DDoS us. We didn't pay him and he did what he said he was going to do. I expect another attack at any time.
The flood was only 10Mb, but our cisco was not tuned as good as it could be. I think with the better config, I will be able to simply absorb it using TCP intercept and IPS.
I found a good attack signature that I would like to use IPS for, to keep the packet from the web servers completely.
I am trying to setup the cisco IPS on the front facing interface of a
3845 router. Every time I enable the IPS, no packets are allowed to
pass through the router. w/out IPS, everything works fine (except
there is no IPS). The moment I enable it, nothing can get through.
ip ips sdf location flash://sdmips.sdf
ip ips sdf location flash://256MB.sdf autosave
ip ips name sdm_ips_rule_IPS list IPS
ip address 127.2.2.3 255.255.255.248 <--- edited for the example
ip access-group gigabitethernet0/0_in in
ip access-group sdm_gigabitethernet0/0_out out
ip verify unicast reverse-path
no ip redirects
no ip unreachables
no ip proxy-arp
ip ips sdm_ips_rule_IPS in
ip route-cache flow
no mop enabled
crypto map SDM_CMAP_1
crypto ipsec df-bit clear
ip access-list extended IPS
remark SDM_ACL Category=1
permit tcp any host 184.108.40.206 eq www <--- just a test host on our
network. www packets are being blocked
If I change the ACL to deny, then everything passes just fine. It's
only when I change the ACL to send packets through the IPS that it
Does anyone have an idea what the problem might be?