Cisco router - viewing and blocking traffic

Hello.

I have a small home network as follows:

T1 -> Cisco 1841 (12.4(3a)) -> Cisco 831 (12.4(18)) -> switch -> Server off one of the ports running SBS 2011 with Exchange 2010

The Cisco IOS is NOT being updated at this time, nor is the server.

Over the past week I have seen multiple "attacks" from various IPs across the world sending a ton of packets from various ports to port 25.  If I block one IP with an access list at the 1841 then another one takes its place within 1-2 minutes.  I am not under a DOS or DDOS (not enough traffic to cause that problem...yet) and no systems are infected on the inside.

What I want to know is if, in the current IOS versions I have, can I setup a rule that will automatically block an IP at the 1841 IF x number of packets exceed y in 5 seconds.

Also, for some reason the logs on the 831 are showing the traffic but I am not seeing it pass through the 1841 so I need to make sure my logging is set properly on the 1841 as well.  While it could increase some overhead the normal traffic here is not that high.  At this time I have to watch both routers, see the increased traffic on the 831 then block the IP on the 1841.

Thanks.
LVL 1
Adam DIT Solutions DeveloperAsked:
Who is Participating?
 
asavenerCommented:
The router OS does not have tools to auto-block IPs.  Cisco has tools for this, but they're not built into the router.


Are these half-open connections?  There's definitely a way to limit the number of inbound half-open connections.  
CBAC:  Configuring Global Timeouts and Thresholds

If the connections are getting established, then you can probably mitigate this on the Exchange/SMTP server.  Create a powershell script that either monitors the SMTP logs or monitors netstat for connections on port 25.  Then have the script add the malicious IP to the list of blocked IPs on the Exchange server.

You might be able to do something similar with PuTTY's plink command-line tool, so that you can modify the outside ACL on the router.

CBAC lets you control some aspects of the SMTP connections.   Not sure what controls the zone-based firewall offers.  You'd need to create a new CBAC namespace, and apply it going OUT on the INSIDE interface.  Then tweak the SMTP settings.

http://www.cisco.com/c/en/us/support/docs/security/ios-firewall/69309-smtp-esmtp-ios-fw.html
0
 
Adam DIT Solutions DeveloperAuthor Commented:
Anybody?
0
 
Kamran ArshadIT AssociateCommented:
Hi,

The router IOS has limited capacity to prevent the modern DDoS attacks. I suggest you to have a UTM (Unified Threat Management) device which is combo of Firewall+Proxy+VPN Gateway+IPS+IDS. Popular vendors are Cisco, Juniper, Checkpoint, SonicWALL, fortinet. Since you already have Cisco so something like Cisco ASA will serve your purpose.
0
 
Adam DIT Solutions DeveloperAuthor Commented:
Thanks Kamran.

I am sure an ASA would be great, just didn't want to buy one at this time.  :)  But, if you know of any IOS coding that I can tweak, I'd appreciate it.  Thanks.
0
 
Rakesh Madupu JNCIE-SP #02079 CCIE-SP#47613Network Development EngineerCommented:
It can be by inbuild copp ( control plane policing) feature. I am not 100% sure if you IOS  supports it. Have a look at this

http://www.cisco.com/web/about/security/intelligence/coppwp_gs.html

In the mean while i shall try do a check in the feature navigator if i find any for this platform

Regards
perfectgame
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.