We had a client call and say their site was being hammered.
Through Cisco’s IP Accounting, we discovered a device on the network getting whacked by a ton of IP Addresses from the Internet. I gave them the IP to investigate but with DHCP they had no way to tell who it was. So we slapped on a quick ACL to block the device to and from access outbound. At this point, we assumed someone would scream. They did… And they found the culprit. Torrent software. Their 10mb hammered circuit dropped to 1mb instantly after the ACL was applied.
This was done on a Cisco Router.
Make sure you don’t already have an ACL 101 in place. Just change the number if necessary.
access-list 101 remark BLOCK IP FROM NETWORK ACCESS
access-list 101 deny ip any host 192.168.61.101
access-list 101 deny ip host 192.168.61.101 any
access-list 101 permit ip any any
ip access-group 101 in
ip access-group 101 out