Okay, I know I probably can't stop it, but it seemed like a good title.

I am a junior systems analyst and I monitor Cisco routers and switches. On one of my routers, a Cisco 7200 series running IOS 12.2(15)T17, I have been monitoring a Denial of Service attack for a few weeks now. Someone or some people have it out for us, it seems, and are not only overloading my router's cpu (now runs between 75% and 100%) but they are spoofing IPs to do it. I've placed several blocks at the top of an access list and have even had some hitters big enough to email a few abuse@isp.com addresses. This only does so much. The router is a gateway router so the traffic isn't getting into the network and clogging it up, but the traffic still has to go through the ACLs on the router which uses processing which in turn causes problems for legit traffic trying to come in and out. I guess my question is: is there an easier way to work with this other than spending an hour a day analyzing ip cache flows and placing blocks on a list?

Hi Tuttlem;

I work as a data centre manager for an organisation with web facing e-commerce gateways and we recently came under attack from both DOS and DDOS attacks...
These combined syn floods, tcp stacks, sql injects and all manner of unwanted traffic that eventually knocked out my IPS resources.

After trying a numer of very expensive cloud based solutions ; we eventually opted for a dedicated solution which sits in front of our interfaces in a HA pair.

This product was WS1000 by Webscreen and because it uses " live intelligence", within 30 mins of their technican attaching the appliance; we were back up and running bacuase we could specify exactly what type of traffic we wanted to let through.