Have a question or want to start a discussion? Post it! No Registration Necessary. 
Now with pictures!
- plastiiq
February 23, 2009, 1:36 pm
Reply
Save
Print
Hi All,
I was wondering, I recently noticed an insane amount of traffic
hitting the IPS rules on my router as "%IPS-4-SIGNATURE: Sig:4620
Subsig:0 Sev:2 DNS Limited Broadcast Query ".
It seemed like the router was being flooded with this message from
one specific host so I decided to blackhole the host away - ip route
xxx.xxx.xxx.xxx 255.255.255.255 null0.
In the past this is an effective way to block traffic from a host
without costing us too much in overhead.
The question is, even since I have implemented the blackhole route, I
am still seeing the same number of messages from the IPS from this
host.
Does this mean that one of my acl's is taking precedence and allowing
the traffic through, or will I continue to see the messages even
though the host is black holed?
Thanks in advance for any insight you can provide.
Site Timeline
- » Making The Pirate Bay obsolete
- — Next thread in » Cisco Certification
-
- » Router problem
- — Previous thread in » Cisco Certification
-
- » iPhone SUPER 80% discounts
- — Newest thread in » Cisco Certification
-
- » Helper Woes
- — The site's Newest Thread. Posted in » CCTV, Alarms and other Physical Security
-
XML Sitemap