Attack traffic on Router cisco 3925

Dear Experts, we realized some abnormal traffic on my Cisco 3925 router when issued command: "show processes cpu, show ip flow top-talker, show ip nat translations" and blocked some IPs which were strange, but the other keep coming to attack us on port 389.

Is there any way to configure the Router so that it can react automatically? for example: block IP when the connection is higher than the pre-defined threshold? my router's CPU is 17-25%, is it too high? normally at offpeak time, it's just about 10%

Please suggest. Many thanks as always!
LVL 4
TjnoNetwork AdministratorAsked:
Who is Participating?
 
TjnoNetwork AdministratorAuthor Commented:
Problem was resolved after inserted the deny rule in ACL to reject traffic on port 389 to our public IP addresses. Many thanks!
0
 
atlas_shudderedSr. Network EngineerCommented:
Where is the traffic coming from (Internet, LAN, DMZ, etc.) and is it passing through the router or attempting to connect to it?  Not clear on exactly what the attack looks like.
0
 
TjnoNetwork AdministratorAuthor Commented:
Hi, we have several Active Directory and Exchange mail system, when issued command 'show ip flow top-talker", we saw some traffic from the same IP (Internet, out of my country) to our AD servers' public IP addresses on port 389. We noticed because one of our AD was off, but still have IPs tried to connect to it.

After blocked that IP on access-list, we saw lots of matches when issued command "show ip access-list", also the router's CPU was reduced significantly. Is that enough to confirm the attack?

Please suggest.
0
Firewall Management 201 with Professor Wool

In this whiteboard video, Professor Wool highlights the challenges, benefits and trade-offs of utilizing zero-touch automation for security policy change management. Watch and Learn!

 
atlas_shudderedSr. Network EngineerCommented:
At face value it sounds like the answer is yes.  However, I would also suggest that you install either and IDS/IPS, firewall or both as their may still be, or may begin to be other undesirable or malicious traffic that you aren't able to see.  Trying to filter that on a router and catch it with a deny all log is going to be difficult.
0
 
TjnoNetwork AdministratorAuthor Commented:
Hi, I blocked that public IP (currently unused) in Access list, and router's CPU was reduced to normal, just 10-15%
0
 
TjnoNetwork AdministratorAuthor Commented:
Hi, it is still running at 19-20%, I checked with "show process" and saw this:

showlog.JPG
Is this normal?
0
 
TjnoNetwork AdministratorAuthor Commented:
Self resolved the problem
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.