Clinton
1. This is a internally created issue. Somone on your internal network is causing this flood. 2. When you say that "getting a LOT of traffic (from random ip's and on different ports, with tcp and udp)" , do you mean to say :- - That the source IPs are all different but Dest IP is the same ? 3. One point to start looking is the session dump(SIP,DIP, sport, dport, proto) from the FW, logs from the router. -Pradeep -----Original Message----- From: Clinton McLeay [mailto:[EMAIL PROTECTED]] Sent: Tuesday, February 12, 2002 5:24 AM To: [EMAIL PROTECTED] Subject: Denial of service question. Hello, here's my question for all of you guys and gals.. We have a single T1 line to the Internet that we use to host web pages and such. Lately one of our computers has started getting a LOT of traffic (from random ip's and on different ports, with tcp and udp). The router we have is just a 2500 series Cisco which we DON'T have access to, however the upstream provider will put in rules for us. The denial of service sometimes goes on for a couple of days, and our upstream says that there is *NOTHING* they can do to help us block this, they suggest we set up a firewall, which we HAVE, but its on our side of the T1 router... So if 1.5M is flooding in basically we are out of luck. The question I have is: Is there any way to help this situation? How possible is it for us to put a firewall BEFORE the T1 line to block all of this before it hits our poor little line, or would this even help? I don't know if this would even be possible? Is there some sort of way we can have a fallback line incase this happens, and just move all of our ip addresses over to another t1 while this is happening to this one computer, so its only getting attacked and not EVERY server we have on that line? Any help would be great! -Clinton