Solved: Re: DDOS

paulo.s · ‎05-16-2003

Hi, since last week, my web server has been attacked at port 80. The IDS SNORT detected T/TCP attack. I applied the acl denying ip address from sender, it's a firewall with NAT to Internet, but there are users who need access this web server.

How can I filter "good" or "bad" packets ?

jeff.k · ‎05-17-2003

If you have been able to identify the source, and have blocked him, then your other users should be fine (as long as you haven't unintentionally blocked others).

You can't filter "good" or "bad" packets until you determine which ones are good or bad. As a starting point, you can use the Characterizing and Tracing Packet Floods white paper as a start to help you determine the nature of the attack.

http://www.cisco.com/warp/public/707/22.html

Jeff

View solution in original post

osam · ‎06-03-2003

paulo.s,

Check this link as well. VERY IMPORTANT!

http://www.cisco.com/en/US/tech/tk583/tk385/technologies_white_paper09186a0080174a5b.shtml