https://community.cisco.com/t5/network-security/ddos-attacks/m-p/950905#M917569 <P>hello security people, help me to find answer to my security question.</P><P>here is the problem: i have cisco 6506 , 48 gig. interfaces and 9 SFP,and one firewall module. one SFP interface is connected to the ISP, and gigethernet to small offices. there is some virus in some computer that blocks my bandwith from ISP. i checked with "sh int gig x/y" that upload is 90Mbs . wow!!! then i decided implement MQC based policing on gigx/y interface. after some minut there was another attack that not just lock my bandwith and also killed my cisco6506. , it was terrible... after 10-15 minut attack is stoped, i check policing with "sh policy-map int gigx/y" and saw that cisco droped 8Gbyt. hey people help to find solution, any suggestion? is there any black-list to block ip address attacker automaticaly?</P> Mon, 11 Mar 2019 13:06:10 GMT noodles44 2019-03-11T13:06:10Z https://community.cisco.com/t5/network-security/ddos-attacks/m-p/950905#M917569 <P>hello security people, help me to find answer to my security question.</P><P>here is the problem: i have cisco 6506 , 48 gig. interfaces and 9 SFP,and one firewall module. one SFP interface is connected to the ISP, and gigethernet to small offices. there is some virus in some computer that blocks my bandwith from ISP. i checked with "sh int gig x/y" that upload is 90Mbs . wow!!! then i decided implement MQC based policing on gigx/y interface. after some minut there was another attack that not just lock my bandwith and also killed my cisco6506. , it was terrible... after 10-15 minut attack is stoped, i check policing with "sh policy-map int gigx/y" and saw that cisco droped 8Gbyt. hey people help to find solution, any suggestion? is there any black-list to block ip address attacker automaticaly?</P> Mon, 11 Mar 2019 13:06:10 GMT https://community.cisco.com/t5/network-security/ddos-attacks/m-p/950905#M917569 noodles44 2019-03-11T13:06:10Z https://community.cisco.com/t5/network-security/ddos-attacks/m-p/950906#M917570 <HTML><HEAD></HEAD><BODY><P>Here are some suggestions:</P><P></P><P>1) if you have FWSM, use <A class="jive-link-custom" href="http://www.fireplotter.com" target="_blank">www.fireplotter.com</A> trial version to profile the traffic, then you can use clear local-host <IP> command to clear off the sessions from the firewall</IP></P><P></P><P>2) Use Netflow</P><P><A class="jive-link-custom" href="http://www.securityfocus.com/infocus/1796" target="_blank">http://www.securityfocus.com/infocus/1796</A></P><P></P><P>3) Try to update your systems with updated anti-virus defs, and 'detect' the worm-name exactly. Google the remediation procedure for that worm and start your work....</P><P></P><P>4) Temporarily make your firewall policy HTTP + necessary ports only (if it was not permit any any before).</P><P></P><P>Regards</P><P></P><P>Farrukh</P></BODY></HTML> Fri, 27 Jun 2008 04:57:26 GMT https://community.cisco.com/t5/network-security/ddos-attacks/m-p/950906#M917570 Farrukh Haroon 2008-06-27T04:57:26Z https://community.cisco.com/t5/network-security/ddos-attacks/m-p/950907#M917571 <HTML><HEAD></HEAD><BODY><P>xm... i found that virus, there were 5 infected computers. but it is posible the system can infect again and again because i have not any access to user computers. </P><P>can firewall block that attacks itself? is there any feature like black-list?</P></BODY></HTML> Fri, 27 Jun 2008 05:36:49 GMT https://community.cisco.com/t5/network-security/ddos-attacks/m-p/950907#M917571 noodles44 2008-06-27T05:36:49Z https://community.cisco.com/t5/network-security/ddos-attacks/m-p/950908#M917572 <HTML><HEAD></HEAD><BODY><P>well you can implement the black-list (if you know the rogue IPs) using a simple access-list.</P><P></P><P>Regards</P><P></P><P>Farrukh</P></BODY></HTML> Fri, 27 Jun 2008 09:17:52 GMT https://community.cisco.com/t5/network-security/ddos-attacks/m-p/950908#M917572 Farrukh Haroon 2008-06-27T09:17:52Z https://community.cisco.com/t5/network-security/ddos-attacks/m-p/950909#M917573 <HTML><HEAD></HEAD><BODY><P>i know it man. i ask about automatic black-lists.</P></BODY></HTML> Fri, 27 Jun 2008 09:36:52 GMT https://community.cisco.com/t5/network-security/ddos-attacks/m-p/950909#M917573 noodles44 2008-06-27T09:36:52Z https://community.cisco.com/t5/network-security/ddos-attacks/m-p/950910#M917574 <HTML><HEAD></HEAD><BODY><P>No there is no such thing on the ASA to my knowledge. Maybe on the CSC module for anti-spam etc. but no on the ASA itself.</P><P></P><P>Regards</P><P></P><P>Farrukh</P></BODY></HTML> Fri, 27 Jun 2008 09:58:01 GMT https://community.cisco.com/t5/network-security/ddos-attacks/m-p/950910#M917574 Farrukh Haroon 2008-06-27T09:58:01Z https://community.cisco.com/t5/network-security/ddos-attacks/m-p/950911#M917575 <HTML><HEAD></HEAD><BODY><P>You could configure threat detection and have the ASA automatically shun the IP based on thresholds...</P></BODY></HTML> Tue, 01 Jul 2008 01:25:14 GMT https://community.cisco.com/t5/network-security/ddos-attacks/m-p/950911#M917575 trippi 2008-07-01T01:25:14Z