Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Community Member

DDOS

Hi, since last week, my web server has been attacked at port 80. The IDS SNORT detected T/TCP attack. I applied the acl denying ip address from sender, it's a firewall with NAT to Internet, but there are users who need access this web server.

How can I filter "good" or "bad" packets ?

2 ACCEPTED SOLUTIONS

Accepted Solutions
Community Member

Re: DDOS

If you have been able to identify the source, and have blocked him, then your other users should be fine (as long as you haven't unintentionally blocked others).

You can't filter "good" or "bad" packets until you determine which ones are good or bad. As a starting point, you can use the Characterizing and Tracing Packet Floods white paper as a start to help you determine the nature of the attack.

http://www.cisco.com/warp/public/707/22.html

Jeff

Community Member

Re: DDOS

4 REPLIES
Community Member

Re: DDOS

If you have been able to identify the source, and have blocked him, then your other users should be fine (as long as you haven't unintentionally blocked others).

You can't filter "good" or "bad" packets until you determine which ones are good or bad. As a starting point, you can use the Characterizing and Tracing Packet Floods white paper as a start to help you determine the nature of the attack.

http://www.cisco.com/warp/public/707/22.html

Jeff

Community Member

Re: DDOS

Thks Jeff, I read and I will apply.

By

Community Member

Re: DDOS

Community Member

Re: DDOS

Thks very much.

270
Views
0
Helpful
4
Replies
CreatePlease to create content