05-16-2003 08:00 AM - edited 03-09-2019 03:19 AM
Hi, since last week, my web server has been attacked at port 80. The IDS SNORT detected T/TCP attack. I applied the acl denying ip address from sender, it's a firewall with NAT to Internet, but there are users who need access this web server.
How can I filter "good" or "bad" packets ?
Solved! Go to Solution.
05-17-2003 07:01 PM
If you have been able to identify the source, and have blocked him, then your other users should be fine (as long as you haven't unintentionally blocked others).
You can't filter "good" or "bad" packets until you determine which ones are good or bad. As a starting point, you can use the Characterizing and Tracing Packet Floods white paper as a start to help you determine the nature of the attack.
http://www.cisco.com/warp/public/707/22.html
Jeff
06-03-2003 05:14 PM
paulo.s,
Check this link as well. VERY IMPORTANT!
http://www.cisco.com/en/US/tech/tk583/tk385/technologies_white_paper09186a0080174a5b.shtml
05-17-2003 07:01 PM
If you have been able to identify the source, and have blocked him, then your other users should be fine (as long as you haven't unintentionally blocked others).
You can't filter "good" or "bad" packets until you determine which ones are good or bad. As a starting point, you can use the Characterizing and Tracing Packet Floods white paper as a start to help you determine the nature of the attack.
http://www.cisco.com/warp/public/707/22.html
Jeff
05-19-2003 07:26 AM
Thks Jeff, I read and I will apply.
By
06-03-2003 05:14 PM
paulo.s,
Check this link as well. VERY IMPORTANT!
http://www.cisco.com/en/US/tech/tk583/tk385/technologies_white_paper09186a0080174a5b.shtml
06-04-2003 03:56 AM
Thks very much.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide