I have a small home network as follows:
T1 -> Cisco 1841 (12.4(3a)) -> Cisco 831 (12.4(18)) -> switch -> Server off one of the ports running SBS 2011 with Exchange 2010
The Cisco IOS is NOT being updated at this time, nor is the server.
Over the past week I have seen multiple "attacks" from various IPs across the world sending a ton of packets from various ports to port 25. If I block one IP with an access list at the 1841 then another one takes its place within 1-2 minutes. I am not under a DOS or DDOS (not enough traffic to cause that problem...yet) and no systems are infected on the inside.
What I want to know is if, in the current IOS versions I have, can I setup a rule that will automatically block an IP at the 1841 IF x number of packets exceed y in 5 seconds.
Also, for some reason the logs on the 831 are showing the traffic but I am not seeing it pass through the 1841 so I need to make sure my logging is set properly on the 1841 as well. While it could increase some overhead the normal traffic here is not that high. At this time I have to watch both routers, see the increased traffic on the 831 then block the IP on the 1841.