Question about IDS % Black Hole Routes

Have a question or want to start a discussion? Post it! No Registration Necessary.  Now with pictures!

Hi All,

 I was wondering, I recently noticed an insane amount of traffic
hitting the IPS rules on my router as "%IPS-4-SIGNATURE: Sig:4620
Subsig:0 Sev:2 DNS Limited Broadcast Query ".

 It seemed like the router was being flooded with this message from
one specific host so I decided to blackhole the host away - ip route null0.

 In the past this is an effective way to block traffic from a host
without costing us too much in overhead.

 The question is, even since I have implemented the blackhole route, I
am still seeing the same number of messages from the IPS from this

 Does this mean that one of my acl's is taking precedence and allowing
the traffic through, or will I continue to see the messages even
though the host is black holed?

Thanks in advance for any insight you can provide.

Site Timeline