Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
382
Views
4
Helpful
2
Replies

Under attack! Need help with IPS

syedfayum
Level 1
Level 1

‎04-13-2008 12:09 AM - edited ‎03-10-2019 04:03 AM

Some guy is coming to our site and demanding a payoff or he will DDoS us. We didn't pay him and he did what he said he was going to do. I expect another attack at any time.

The flood was only 10Mb, but our cisco was not tuned as good as it could be. I think with the better config, I will be able to simply absorb it using TCP intercept and IPS.

I found a good attack signature that I would like to use IPS for, to keep the packet from the web servers completely.

I am trying to setup the cisco IPS on the front facing interface of a

3845 router. Every time I enable the IPS, no packets are allowed to

pass through the router. w/out IPS, everything works fine (except

there is no IPS). The moment I enable it, nothing can get through.

I have:

ip ips sdf location flash://sdmips.sdf

ip ips sdf location flash://256MB.sdf autosave

ip ips name sdm_ips_rule_IPS list IPS

.

.

interface GigabitEthernet0/0

ip address 127.2.2.3 255.255.255.248 <--- edited for the example

ip access-group gigabitethernet0/0_in in

ip access-group sdm_gigabitethernet0/0_out out

ip verify unicast reverse-path

no ip redirects

no ip unreachables

no ip proxy-arp

ip ips sdm_ips_rule_IPS in

ip virtual-reassembly

ip route-cache flow

duplex auto

speed auto

media-type sfp

no mop enabled

crypto map SDM_CMAP_1

crypto ipsec df-bit clear

.

.

.

.

ip access-list extended IPS

remark SDM_ACL Category=1

permit tcp any host 125.2.4.2 eq www <--- just a test host on our

network. www packets are being blocked

If I change the ACL to deny, then everything passes just fine. It's

only when I change the ACL to send packets through the IPS that it

stops cold.

Does anyone have an idea what the problem might be?

thank you,

Syed Fayum

Labels:
0 Helpful
2 Replies 2

mhellman
Level 7
Level 7

‎04-14-2008 06:30 AM

if you are legitimately being blackmailed, you should probably get the authorities involved. Here in the US, that would be the FBI. Hopefully you have an equivalent. The chances that an IPS at the last mile is going to be effective against a botnet DDoS seems pretty unlikely. I would recommend working with your Internet Service Provider to see what help they can offer.

0 Helpful

rhermes
Level 7
Level 7
In response to mhellman

‎04-14-2008 07:28 AM

mhellman is correct, you can not protect yourself against a DDoS attack from your end. As long as the attacker has more bandwidth of attack traffic than you have in internet access, your internet access will be filled and rendered useless. Some ISP's offer DDoS scrubbing services. If your attacker is only using a few hosts your ISP may filter their IPs.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card