I am having a very ugly problem :-(
I have a 10MB Internet connection going through a 7206, then two ASAs in failover and then a Cisco CSS with a cluster of 3 web servers that receive constant HTTP transactions. The web servers hold a single web page with a single public IP address that is under attack.
I have a Netflow Analizer showing thousands of HTTP connections (valid HTTP connections, getting a 200 ok response from the web server)... but trying to reach an unexistent directory.
Thousands and thousands of these connections from thousands of different IP addresses. (Besides all the valid HTTP transactions)
My ISP is telling me that since all the HTTP requests are valid, there's no way for them to ''block'' this attack.
I am thinking about an IPS Sensor, creating a signature that blocks that traffic specifically, but if the directory or the attack changes, we need to constantly modify the signatures...
We've tried the Cisco Traffic Anomaly Detector and Guard and it did not detect the traffic as an attack!
Can somebody point me out in the right direction for an approach to this situation?