Attack traffic on Router cisco 3925

Dear Experts, we realized some abnormal traffic on my Cisco 3925 router when issued command: "show processes cpu, show ip flow top-talker, show ip nat translations" and blocked some IPs which were strange, but the other keep coming to attack us on port 389.

Is there any way to configure the Router so that it can react automatically? for example: block IP when the connection is higher than the pre-defined threshold? my router's CPU is 17-25%, is it too high? normally at offpeak time, it's just about 10%

Please suggest. Many thanks as always!
LVL 5
DP230Network AdministratorAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

atlas_shudderedSr. Network EngineerCommented:
Where is the traffic coming from (Internet, LAN, DMZ, etc.) and is it passing through the router or attempting to connect to it?  Not clear on exactly what the attack looks like.
0
DP230Network AdministratorAuthor Commented:
Hi, we have several Active Directory and Exchange mail system, when issued command 'show ip flow top-talker", we saw some traffic from the same IP (Internet, out of my country) to our AD servers' public IP addresses on port 389. We noticed because one of our AD was off, but still have IPs tried to connect to it.

After blocked that IP on access-list, we saw lots of matches when issued command "show ip access-list", also the router's CPU was reduced significantly. Is that enough to confirm the attack?

Please suggest.
0
atlas_shudderedSr. Network EngineerCommented:
At face value it sounds like the answer is yes.  However, I would also suggest that you install either and IDS/IPS, firewall or both as their may still be, or may begin to be other undesirable or malicious traffic that you aren't able to see.  Trying to filter that on a router and catch it with a deny all log is going to be difficult.
0
Big Business Goals? Which KPIs Will Help You

The most successful MSPs rely on metrics – known as key performance indicators (KPIs) – for making informed decisions that help their businesses thrive, rather than just survive. This eBook provides an overview of the most important KPIs used by top MSPs.

DP230Network AdministratorAuthor Commented:
Hi, I blocked that public IP (currently unused) in Access list, and router's CPU was reduced to normal, just 10-15%
0
DP230Network AdministratorAuthor Commented:
Hi, it is still running at 19-20%, I checked with "show process" and saw this:

showlog.JPG
Is this normal?
0
DP230Network AdministratorAuthor Commented:
Problem was resolved after inserted the deny rule in ACL to reject traffic on port 389 to our public IP addresses. Many thanks!
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
DP230Network AdministratorAuthor Commented:
Self resolved the problem
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Routers

From novice to tech pro — start learning today.