Have a question or want to start a discussion? Post it! No Registration Necessary. Now with pictures!
February 23, 2009, 1:36 pm
rate this thread
I was wondering, I recently noticed an insane amount of traffic
hitting the IPS rules on my router as "%IPS-4-SIGNATURE: Sig:4620
Subsig:0 Sev:2 DNS Limited Broadcast Query ".
It seemed like the router was being flooded with this message from
one specific host so I decided to blackhole the host away - ip route
xxx.xxx.xxx.xxx 255.255.255.255 null0.
In the past this is an effective way to block traffic from a host
without costing us too much in overhead.
The question is, even since I have implemented the blackhole route, I
am still seeing the same number of messages from the IPS from this
Does this mean that one of my acl's is taking precedence and allowing
the traffic through, or will I continue to see the messages even
though the host is black holed?
Thanks in advance for any insight you can provide.