Hi All,
I was wondering, I recently noticed an insane amount of traffic hitting the IPS rules on my router as "%IPS-4-SIGNATURE: Sig:4620 Subsig:0 Sev:2 DNS Limited Broadcast Query ".
It seemed like the router was being flooded with this message from one specific host so I decided to blackhole the host away - ip route xxx.xxx.xxx.xxx 255.255.255.255 null0.
In the past this is an effective way to block traffic from a host without costing us too much in overhead.
The question is, even since I have implemented the blackhole route, I am still seeing the same number of messages from the IPS from this host.
Does this mean that one of my acl's is taking precedence and allowing the traffic through, or will I continue to see the messages even though the host is black holed?
Thanks in advance for any insight you can provide.