Question about IDS % Black Hole Routes

Have a question or want to start a discussion? Post it! No Registration Necessary.  Now with pictures!



Hi All,

 I was wondering, I recently noticed an insane amount of traffic
hitting the IPS rules on my router as "%IPS-4-SIGNATURE: Sig:4620
Subsig:0 Sev:2 DNS Limited Broadcast Query ".

 It seemed like the router was being flooded with this message from
one specific host so I decided to blackhole the host away - ip route
xxx.xxx.xxx.xxx 255.255.255.255 null0.

 In the past this is an effective way to block traffic from a host
without costing us too much in overhead.

 The question is, even since I have implemented the blackhole route, I
am still seeing the same number of messages from the IPS from this
host.

 Does this mean that one of my acl's is taking precedence and allowing
the traffic through, or will I continue to see the messages even
though the host is black holed?

Thanks in advance for any insight you can provide.

Site Timeline