Cisco router - viewing and blocking traffic


I have a small home network as follows:

T1 -> Cisco 1841 (12.4(3a)) -> Cisco 831 (12.4(18)) -> switch -> Server off one of the ports running SBS 2011 with Exchange 2010

The Cisco IOS is NOT being updated at this time, nor is the server.

Over the past week I have seen multiple "attacks" from various IPs across the world sending a ton of packets from various ports to port 25.  If I block one IP with an access list at the 1841 then another one takes its place within 1-2 minutes.  I am not under a DOS or DDOS (not enough traffic to cause that problem...yet) and no systems are infected on the inside.

What I want to know is if, in the current IOS versions I have, can I setup a rule that will automatically block an IP at the 1841 IF x number of packets exceed y in 5 seconds.

Also, for some reason the logs on the 831 are showing the traffic but I am not seeing it pass through the 1841 so I need to make sure my logging is set properly on the 1841 as well.  While it could increase some overhead the normal traffic here is not that high.  At this time I have to watch both routers, see the increased traffic on the 831 then block the IP on the 1841.

Adam DIT Solutions DeveloperAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Adam DIT Solutions DeveloperAuthor Commented:
Kamran ArshadIT AssociateCommented:

The router IOS has limited capacity to prevent the modern DDoS attacks. I suggest you to have a UTM (Unified Threat Management) device which is combo of Firewall+Proxy+VPN Gateway+IPS+IDS. Popular vendors are Cisco, Juniper, Checkpoint, SonicWALL, fortinet. Since you already have Cisco so something like Cisco ASA will serve your purpose.
Adam DIT Solutions DeveloperAuthor Commented:
Thanks Kamran.

I am sure an ASA would be great, just didn't want to buy one at this time.  :)  But, if you know of any IOS coding that I can tweak, I'd appreciate it.  Thanks.
Rakesh Madupu JNCIE-SP #02079 CCIE-SP#47613Network Development EngineerCommented:
It can be by inbuild copp ( control plane policing) feature. I am not 100% sure if you IOS  supports it. Have a look at this

In the mean while i shall try do a check in the feature navigator if i find any for this platform

The router OS does not have tools to auto-block IPs.  Cisco has tools for this, but they're not built into the router.

Are these half-open connections?  There's definitely a way to limit the number of inbound half-open connections.  
CBAC:  Configuring Global Timeouts and Thresholds

If the connections are getting established, then you can probably mitigate this on the Exchange/SMTP server.  Create a powershell script that either monitors the SMTP logs or monitors netstat for connections on port 25.  Then have the script add the malicious IP to the list of blocked IPs on the Exchange server.

You might be able to do something similar with PuTTY's plink command-line tool, so that you can modify the outside ACL on the router.

CBAC lets you control some aspects of the SMTP connections.   Not sure what controls the zone-based firewall offers.  You'd need to create a new CBAC namespace, and apply it going OUT on the INSIDE interface.  Then tweak the SMTP settings.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.