Arrowpoint CS-100 atack

[Thiago Madeira de Lima <jungle () STI COM BR>]

        Hello,

        I'm experiencing a very hard/strange atack.

        I run a service wich has the following arquiterute :

        1 Arrowpoing CS-100
        2 Cacheflows in one vip, wich is the website address (200.x.x.1)
        1 Server in one vip. (200.x.x.2)

        This configurations works very fine, but someone is atacking the ip
200.x.x.1 and then
the arrowpoing starts saying that there's *MANY* 'Illegal Source Atack', and
it starts to work very slow and kill all services. It stops packet fowarding
to the servers and mark all serves as down.

        I'm receiving something about 15Mbits of this strange trafig. And I couln't
verify what it is, because the arrowpoint does not foward those packets to
the real server nor the cache.

        I looked at the Arrowpoint manual and there's nothing about how to disable
the DOS filter, wich I think it could be an answer. Maybe the caches or the
server could handle a little better with the problem.

        My problem right now is how to identify what atack is really happening, and
then filter the atack someplace before the arrowpoint.

        Any tricks?

        Thanks alot
        Thiago