Guys,
We have a class B subnet with about 100 active class C networks in 20 different VLANs being routed by a cisco 6509 (sup 720 running IOS). Cisco is routing for all these vlans with a default route out to a set of firewalls (HA) which is connected to our wan provider. I guess thats common setup
now: We are being bombarded with tcp/445 scans from internal infected systems. The virus is somewhat intelligent in that it only scans the class-full subnet that an infected machine is part of. I have blocked some systems with ACLs but I am looking for some way to limit new syns received from a host every second. I don't even know if this is possible at all but I am open for suggestions.
Even when blocked with an ACL, I still see a storm of ARPs and that has me worried too, it already took down a cisco concentrator due to not enough room for cam entries but that was an old hardware so I guess that I can safely assume that other hardware will hold like they have so far.
The firewall that is connected to the cisco never sees this scans because they are local to 6509. I guess we can policy route on the router but I am trying to avoid that due to possible performance hit.
anyone?? the acls are growing HUGH and are hard to keep up with. We have the support people visiting these infected machines and cleaning them up but the infection is spreading faster them we can keep up.