Im having serious problems with a 2621 router, its a gateway to 4 different networks. My problem is that Im getting DoS every few minutes unless I do a "clear arp".
Im new at this stuff, does anyone have a clue where to start ?
For the moment I set the arp timeout to a low value, and going to try what you pointed out tomorrow. Could the low arp timeout affect me on monday when everyones working ?
Like I said Im new at this, so Im looking around for setting up netflow, definitely need to kill the attacker. Any quick way ?
Do you have at least some sort of ACL inbound on your WAN/Internet interface?
You would need to know the IP address of attacker to be able to do anything. You can put a deny ip any any for now until you find out his info. Keep in mind this will deny any remote connections into your inside network.
You can export the netflow data to a collector but you can also view the data from the CLI. The command is "sh ip cache flow"
What is your input rate of the WAN/Internet interface? The rate can only be displayed for a rolling 30 second average but if he is attacking for that amount of time you should see a spike in traffic. "show int <interface>" should show the traffic rate.
Take a look at this link too, it has some good ideas.