Hello all!
So over the course of the last day or two, we've been experiencing network slowness when trying to access web or anything external. After taking a deeper look today at some logs, I noticed that we are experienced some what of a DDoS. IPS logs are being flooded with traffic from several different IPs. The firewall logs are also blocking traffic from different IPs that are originating from the same MAC that the IPS logs are indicate.
What I've done so for is create a Network Group and put some ranges and IPs in them and just named the group "Bad IPs"
Created a fw rule from that group to drop any packets on any service coming to our external address.
After this, the addresses were still appearing in the IPS logs. So I created a DNAT rule upon further reading on here, and told the "Bad IPs" group on any service going to my external address to go to a blackhole address notes in Rulz #2.
IPS logs are still showing the IPs coming through.
Any ideas or suggestions on how to completely block them from reaching the fw?
Thanks!
This thread was automatically locked due to age.
