华为9306交换机ICMP包攻击导致直连丢包但业务不受影响故障处理故报告 | ||
故障现象描述与说明 | ||
故障现象: Ping华为9306交换机的任何直连地址会丢包,经过交换机的业务数据不受影响。 | ||
现状、拓扑与配置 | ||
网络情况: 华为9303交换机 华为9306交换机 | ||
故障现象及处理 | ||
步骤一:1、在交换机9306-B上通过命令display logbuffer查看 Apr 23 2012 14:25:16 JM-SN5L-DCN-9306-2 %%01QOSE/4/CPCAR_DROP_LPU(l): Some packets are dropped by cpcar on the LPU in slot 1. (Protocol=icmp, Drop-Count=0529546) Apr 23 2012 14:25:16 JM-SN5L-DCN-9306-2 %%01QOSE/4/CPCAR_DROP_MPU(l): Some packets are dropped by cpcar on the MPU. (Protocol=icmp, Drop-Count=049663) Apr 23 2012 14:15:16 JM-SN5L-DCN-9306-2 %%01QOSE/4/CPCAR_DROP_LPU(l): Some packets are dropped by cpcar on the LPU in slot 1. (Protocol=icmp, Drop-Count=0489843) Apr 23 2012 14:15:16 JM-SN5L-DCN-9306-2 %%01QOSE/4/CPCAR_DROP_MPU(l): Some packets are dropped by cpcar on the MPU. (Protocol=icmp, Drop-Count=049826) Apr 23 2012 14:09:39 JM-SN5L-DCN-9306-2 %%01HWCM/4/EXIT(l): Exit from configure mode. Apr 23 2012 14:05:16 JM-SN5L-DCN-9306-2 %%01QOSE/4/CPCAR_DROP_LPU(l): Some packets are dropped by cpcar on the LPU in slot 1. (Protocol=icmp, Drop-Count=0483657) 大量的icmp包到达设备后由主引擎和slot1的CPCAR进行丢弃。 2、在交换机9306-B上通过命令display cpu-defend statistics all查看 CPCAR on mainboard ------------------------------------------------------------------------------- unknown怎么处理Packet Type Pass(Bytes) Drop(Bytes) Pass(Packets) Drop(Packets) stp 0 0 0 0 smart-link 0 0 0 0 ldt 0 0 0 0 lacp 0 0 0 0 lldp 0 0 0 0 dldp 0 0 0 0 vrrp 0 0 0 0 isis 0 0 0 0 igmp 0 0 0 0 pim 0 0 0 0 rip 0 0 0 0 ospf 14060 0 132 0 bgp 88257 0 1175 0 mpls-rsvp 0 0 0 0 mpls-ldp 0 0 0 0 ttl-expired 0 0 0 0 icmp 118941948 52491134 182**** ****36 eoam-3ah 0 0 0 0 mpls-ping 0 0 0 0 mpls-ttl-expired 0 0 0 0 ntp 0 0 0 0 ripng 0 0 0 0 ospfv3 0 0 0 0 bgp4plus 0 0 0 0 pimv6 0 0 0 0 hotlimit 0 0 0 0 vrrp6 0 0 0 0 mld 13130 0 135 0 icmpv6 0 0 0 0 telnet 800735 0 12506 0 ssh 0 0 0 0 ftp 0 0 0 0 snmp 0 0 0 0 radius 0 0 0 0 hw-tacacs 0 0 0 0 tcp 14052 0 198 0 mpls-fib-hit 0 0 0 0 fib-hit 0 0 0 0 arp-miss 16302 0 207 0 unknown-packet 0 0 0 0 hopbyhop 0 0 0 0 pppoe 0 0 0 0 bpdu-tunnel 0 0 0 0 rrpp 0 0 0 0 udp-helper 0 0 0 0 ------------------------------------------------------------------------------- CPCAR on slot 1 ------------------------------------------------------------------------------- Packet Type Pass(Bytes) Drop(Bytes) Pass(Packets) Drop(Packets) arp-request 11968 0 176 0 arp-reply 4420 0 66 0 stp 0 0 0 0 smart-link 0 0 0 0 ldt 0 0 0 0 lacp 0 0 0 0 lldp 0 0 0 0 dldp 0 0 0 0 vrrp 0 0 0 0 mpls-oam 0 0 0 0 isis 0 0 0 0 dhcp-client 0 0 0 0 dhcp-server 0 0 0 0 igmp 0 0 0 0 pim 0 0 0 0 rip 0 0 0 0 ospf 2122962 0 22963 0 bgp 91561 0 1175 0 bfd 0 0 0 0 mpls-rsvp 0 0 0 0 mpls-ldp 0 0 0 0 ttl-expired 143622 0 1453 0 icmp 180788146 622068196 2626569 9079349 eoam-3ah 0 0 0 0 eoam-1ag 0 0 0 0 mpls-ping 0 0 0 0 mpls-ttl-expired 0 0 0 0 ntp 0 0 0 0 8021x 0 0 0 0 http 0 0 0 0 ripng 0 0 0 0 ospfv3 0 0 0 0 bgp4plus 0 0 0 0 pimv6 0 0 0 0 hotlimit 0 0 0 0 vrrp6 0 0 0 0 dhcpv6-request 0 0 0 0 dhcpv6-reply 0 0 0 0 mld 13670 0 135 0 icmpv6 0 0 0 0 hvrp 0 0 0 0 telnet 853955 136 12553 2 ssh 0 0 0 0 ftp 0 0 0 0 snmp 0 0 0 0 radius 0 0 0 0 hw-tacacs 0 0 0 0 tcp 13392 0 180 0 mpls-fib-hit 0 0 0 0 fib-hit 9000 0 90 0 arp-miss 17034 0 207 0 unknown-packet 0 0 0 0 unknown-multicast 13717348 0 166654 0 hopbyhop 0 0 0 0 pppoe 0 0 0 0 bpdu-tunnel 0 0 0 0 从上述很容易看出:大量的ICMP经交换机处理不过来从而丢弃。 步骤二:在交换机9306上开启ICMP的debug信息出具体的攻击源。 通过在交换机上执行debugging ip icmp,发现从鹤山上来的主要有132.103.145.0/24、 132.103.146.0/24、 132.103.147.0/24三个网段的源进行大量的icmp包。于是建议客户要求鹤山本地关注这些网段的终端进行病毒扫描处理。 步骤三:业务恢复(在交换机上针对上述的三个网段的ICMP包进行黑名单处理) acl number 3100 rule 5 permit icmp source 132.103.145.0 0.0.0.255 rule 10 permit icmp source 132.103.147.0 0.0.0.255 rule 15 permit icmp source 132.103.146.0 0.0.0.255 # cpu-defend policy 1 blacklist 1 acl 3100 # slot 1 cpu-defend-policy 1 处理后,icmp处理恢复正常,直连ping 也不再丢包。并且观察了一天后,也正常。 因此,攻击源在鹤山本地。 | ||
处理过程信息LOG | ||
编号 | 文件名 | 说明 |
1 | LOG文件应包含设备的软件版本信息、硬件配置信息、处理过程日志等内容。 | |
根本原因分析 | ||
1、华为9300系列交换默认隐藏模式下有针对各种报文的QOS限速机制,当对应的报文超出设定的速率值时,由CPU-DEFENSE将后续的包进行丢弃,如ICMP,后续的包就表现为丢包现象。 | ||
版权声明:本站内容均来自互联网,仅供演示用,请勿用于商业和其他非法用途。如果侵犯了您的权益请与我们联系QQ:729038198,我们将在24小时内删除。
发表评论