Okay, I know I probably can't stop it, but it seemed like a good title.
I am a junior systems analyst and I monitor Cisco routers and switches. On one of my routers, a Cisco 7200 series running IOS 12.2(15)T17, I have been monitoring a Denial of Service attack for a few weeks now. Someone or some people have it out for us, it seems, and are not only overloading my router's cpu (now runs between 75% and 100%) but they are spoofing IPs to do it. I've placed several blocks at the top of an access list and have even had some hitters big enough to email a few abuse@isp.com addresses. This only does so much. The router is a gateway router so the traffic isn't getting into the network and clogging it up, but the traffic still has to go through the ACLs on the router which uses processing which in turn causes problems for legit traffic trying to come in and out. I guess my question is: is there an easier way to work with this other than spending an hour a day analyzing ip cache flows and placing blocks on a list?
