Our IDS sensor detected a public IP address (61.177.*.*) that was attempting to hack several of our FTP servers last night. I added a policy to block and log any attempts from that IP on our firewall. That had no effect. On further investigation, I found that 3 of the servers the hacker was attempting to log into are not even mapped through on any ports through the firewall. We have 2 entry points to our network: Internet and Frame Relay to over 100 remote locations. I'm not sure how a public IP can be making through our private frame. I can ping and telnet to the attackers IP address but the path just goes straight out through our internet connection. What tool or method can I use to find the entry point? Thanks!