FAQ:如何查看攻击源当有大量协议报文攻击接口板CPU时

发布时间:  2014-12-30 浏览次数:  170 下载次数:  0
问题描述
FAQ:如何查看攻击源当有大量协议报文攻击接口板CPU时
解决方案
第一步 通过命令display  health查看具体哪个单板CPU占用率高,如下面例子所示,2号接口板CPU占用率已经达到99%.
<E8000E>display  health
Slot                CPU Usage  Memory Usage(Used/Total)
---------------------------------------------------------
9 MPU(Master)          9%           52%  968MB/1845MB
1 LPU                 10%           47%  400MB/839MB
2 LPU                 99%           36%  310MB/841MB
3 LPU                  9%           47%  400MB/839MB
7 SPU                 29%           44%  209MB/475MB
8 SPU                 27%           43%  208MB/475MB
10 MPU(Slave)           6%           51%  943MB/1845MB

第二步 通过display cpu-usage slot <slot id> 查看单板是否是SOCK任务最高,下面这个例子可以看到SOCK任务最高,而SOCK任务是CPU处理协议报文收发的任务,由此可见有大量的协议报文在攻击CPU.

<E8000E>dis cpu-usage slot 2
CPU Usage Stat. Cycle: 60 (Second)
CPU Usage            : 99% Max: 99%
CPU Usage Stat. Time : 2014-01-11  22:58:50
CPU utilization for five seconds: 99%: one minute: 99%: five minutes: 99%.

TaskName        CPU  Runtime(CPU Tick High/Tick Low)  Task Explanation
BOX              0%         0/    c1f2       BOX Output                  
DelPtTask        0%         0/       0                                   
CrtPtTask        0%         0/       0                                   
VCLK             0%         0/  196966                                    
TICK             0%         0/  6b48ad                                   
LOAD             0%         0/   13c02       LOAD                        
IPCR             0%         0/   65f6f       IPCR                        
VPR              0%         0/    61a8       VPR                         
VPS              0%         0/    537e       VPS                         
LCM              0%         0/   f5cbd       LCM                         
BK1              0%         0/       0       BK1                         
BK2              0%         0/       0       BK2                         
Loam             0%         0/   e2e17       LoamQue                     
upct             0%         0/       0       upct                        
AseT             0%         0/       0       AseT                        
RTMR             0%         0/  1d2d27       RTMR                        
CPRL             0%         0/  26d419       CPRL                         
FPIX             0%         0/    169e       FPIX                        
FPID             0%         0/    60f1       FPIDHCP                     
IPCQ             0%         0/  a4ec5b       IPCQIPC task for single queue
VP               0%         0/    3579       VP  Virtual path task       
RPCQ             0%         0/   5d97d       RPCQRemote procedure call   
RTPR             0%         0/       0       RTPR                        
IPCB             0%         0/  17f306       IPCBIPC task for broadcast queue
VMON             0%         0/   5fe34       VMONSystem monitor          
VMSH             0%         0/       0       VMSH                        
STND             0%         0/   28c71       STNDStandby task             
INFO             0%         0/    5bb4       INFOInformation center      
SAPP             0%         0/       0       SAPP                        
L2IF             0%         0/       0       L2IF                        
MNMA             0%         0/       0       MNMAMac in Mac Agent        
APS              0%         0/   42336       APS Automatic Protection Switch
FIB6             0%         0/       0       FIB6IPv6 FIB                
BFD              0%         0/   504ee       BFD Bidirection Forwarding Detect
OAM              0%         0/   3c653       OAM OAM                     
LSPA             0%         0/       0       LSPA                        
L2V              0%         0/       0       L2V Layer 2 VPN              
SNPG             0%         0/   1fe93       SNPG                        
RBP              0%         0/       0       RBP                         
ADPT             0%         0/  10c58d       ADPT                        
FW               0%         0/   1e2a5       FW                          
FWVP             0%         0/   48068       FWVP                        
FIPA             0%         0/   c7eaa       FIPA                        
FIPC             0%         0/       0       FIPC                        
Mpxy             0%         0/   3f52a       Mpxy                        
IGMP             0%         0/   30f61       IGMP                        
PES             24%         0/2417983d       PES                          
PEST             0%         0/   c9dee       PEST                        
PESP             0%         0/   33538       PESP                        
MCIA             0%         0/       0       MCIA                        
MIDU             0%         0/       0       MIDU                        
VOSA             0%         0/       0       VOSAVirtual OS adaption     
EAPO             0%         0/    c97f       EAPOL                       
IMS              0%         0/   2f1f7       IMS                         
TRNK             0%         0/       0       TRNK                        
PIA              0%         0/       0       PIA                         
NSA              0%         0/   11ac1       NSA                          
ATMA             0%         0/   1257d       ATMA                        
LLDP             0%         0/   1724f       LLDP                        
PIPE             0%         0/       0       PIPE   Pipe task            
VRFP             0%         0/       0       VRFP                        
VSIP             0%         0/       0       VSIP                        
ARPA             0%         0/       0       ARPAT                       
SECL             0%         0/    3e08       SECL                        
FLD              0%         0/   2abd5       FLD                         
BTRC             0%         0/   3f129       BTRC                        
MSE              0%         0/   52fba       MSE                          
DHPA             0%         0/       0       DHPA                        
PTPO             0%         0/   14ddb       PTPO                        
CESR             0%         0/   2708f       CESR                        
NDB              0%         0/    6021       NDB                         
ArpB             0%         0/       0       ArpB                        
PTAL             0%         0/       0       PTAL                        
POXS             0%         0/       0       POXS                        
EOAM             0%         0/       0       EOAMEthernet OAM 802.1ag    
1731             0%         0/       0       1731Ethernet OAM Y1731      
TRAF             0%         0/   5056e       TRAFTraffic Statistics      
CDM              0%         0/   1ecc3       CDM                         
SOCK            63%         0/5e2ee7c1       SOCKPacket schedule and process
VTRU             0%         0/       0       VTRUNK                      
SDHA             0%         0/       0       SDHAPS Automatic Protection Switch
FIB              0%         0/       0       FIB Forward Information Base
MFIB             0%         0/   48edb       MFIBMulticast forward info  
IFNT             0%         0/    e3d7       IFNTIfnet task              
RSA              0%         0/       0       RSA RSA public-key algorithms
FMAT             0%         0/    654c       FMATFault Manage task       
ISSU             0%         0/       0       ISSU                         
SNP              0%         0/       0       SNP DHCP snooping function  
DIAG             0%         0/  e0d0b7       DIAG                        
SSC              0%         0/       0       SSC                         
SRM              2%         0/ 38d3444       SRM                         
BEAT             0%         0/   8481e       BEAT                        
BMON             0%         0/   148f2       BMON                        
HALT             0%         0/   9be9d       HALT                        
SPMT             0%         0/  111358       SPMT                        
MACL             0%         0/   37935       MACL                        
MACS             0%         0/  1c97f1       MACS                        
TEST             0%         0/       0       TESTTest communication      
Ne50             0%         0/       0       Ne5000Stat                  
ARPV             0%         0/  15f54d       ARPV                        
MACF             0%         0/  2bb358       MACF                        
TSTA             0%         0/   46edb       TSTATest task agent         
CPPS             0%         0/       0       CPPS                         
UTSK             0%         0/       0       UTSK                        
APP              0%         0/       0       APP                         
IP               0%         0/   93703       IP                          
LINK             0%         0/   c2188       LINK                        
VRPT             0%         0/   253cf       VRPT                        
TNQA             0%         0/   1acef       TNQAC                       
TTNQ             0%         0/       0       TTNQAS                      
TARP             0%         0/       0       TARPING                     
L2               0%         0/    3f9a       L2                          
VRRP             0%         0/   6966b       VRRP                         
L2_P             0%         0/  16355d       L2_PR                       
ARP              0%         0/       0       ARP                         
FIBP             0%         0/       0       FIBP                        
HQOS             0%         0/  791e47       HQOS                        
QOS              0%         0/    f5d4       QOS NE5000QOS               
QOS-             0%         0/       0       QOS-PROFILE                 
MIRR             0%         0/       0       MIRRMirror_Job              
STAT             0%         0/  4dcdd4       STAT                        
SQOS             0%         0/  dc33bf       SQOS                        
QOSA             0%         0/  37344c       QOSADA                       
DEFD             0%         0/  96e9ac       DEFD                        
FARP             0%         0/   2f4aa       FARP                        
FWPT             0%         0/   11b6e       FWPT                        
FMT              0%         0/  1f4933       FMT                         
TMQN             0%         0/       0       TMQN                        
TMQI             0%         0/       0       TMQI                        
TMQP             0%         0/       0       TMQP                        
TAD              0%         0/       0       TAD Transmission Alarm Damping
VIDL             0%         0/  474ac1       System idle                 
OS              11%         0/105ff888       Operation System             

第三步 通过命令display cpu-defend all statistics slot <slot id>来查看具体哪种协议报文超过了CP-CAR的带宽,从而判断是哪种协议报文在攻击,此外ARP协议报文需要用命令display  cpu-defend  car  protocol  arp statistics  slot <slot id>单独查看.下面的例子可以看出是有VRRP,IGMP,ARP都超过了CP-CAR带宽,有大量丢弃,由此可见有大量的VRRP,IGMP,ARP攻击.

<E8000E>display cpu-defend all statistics slot 2
Slot/Intf Attack-Type               Total-Packets Passed-Packets Dropped-Packets
--------------------------------------------------------------------------------
2         Application-Apperceive        805588269      108943428      696644841
--------------------------------------------------------------------------------
          SSH SERVER                            0              0              0
          SNMP                                  0              0              0
          BGP                                   0              0              0
          LDP                                   0              0              0
          RSVP                                  0              0              0
          OSPF                                  0              0              0
          RIP                                   0              0              0
          ISIS                                  0              0              0
          ICMP                                  0              0              0
          MSDP                                  0              0              0
          PIM                                   0              0              0
          DHCP                                  0              0              0
          LACP                           14041618       14041618              0
          NTP                                   0              0              0
          RADIUS                                0              0              0
          HWTACACS                              0              0              0
          LSPPING                               0              0              0
          IGMP                             780204       81485    698719
          RRPP                                  0              0              0
          VRRP                          790766447       94820325    695946122
          BFD                                   0              0              0
          MPLSOAM                               0              0              0
          802.1AG                               0              0              0
          SSH CLIENT                            0              0              0
          DNS CLIENT                            0              0              0
--------------------------------------------------------------------------------
2         MA-Defend                             0              0              0
--------------------------------------------------------------------------------
          SSH                                   0              0              0
          SNMP                                  0              0              0
          BGP                                   0              0              0
          LDP                                   0              0              0
          RSVP                                  0              0              0
          OSPF                                  0              0              0
          RIP                                   0              0              0
--------------------------------------------------------------------------------
2         URPF                                  0              0              0
--------------------------------------------------------------------------------
2         Tcpip-defend                          0              0              0
--------------------------------------------------------------------------------
          Abnormal-packet                       0              0              0
          Fragment-packet                       0              0              0
          Tcpsyn-packet                         0              0              0
          Udp-packet                            0              0              0
--------------------------------------------------------------------------------


<E8000E>display  cpu-defend  car  protocol  arp statistics  slot 2
Slot               : 2
Application switch : Open
Default Action     : Min-to-cp
--------------------------------------------
IPV4 ARP packet
Protocol switch: N/A
Packet information:
  Passed packet(s)  : 14719806           
  Dropped packet(s) : 134858500          
Configuration information:
  Configged CIR : 2000    kbps       Actual CIR in NP : 2000    kbps
  Configged CBS : 20000   bytes      Actual CBS in NP : 20000   bytes
  Priority : The index on this board can not be shown . Please see the NP Priority.
  Min-packet-length : NA

第四步 通过命令display attack-source-trace slot <slot id> brief 查看攻击报文的具体内容,还可以看到攻击报文从哪个端口进入,从而根据攻击进入的端口和攻击源IP来进一步找到攻击源头.如下面例子所示可以看到攻击报文为ARP、VRRP 和IGMP报文,攻击进入的端口为GigabitEthernet2/1/0.

<E8000E>display attack-source-trace slot 2 brief
Info: Please waiting......
  No 1 Packet Info:
  Interface Name   : GigabitEthernet2/1/0
  PeVlanid         : 0
  CeVlanid         : 0
  Attack Type      : CPCAR
  Source Ip        : 10.30.246.80
  Dest Ip          : 10.30.246.84
  Source Port      : 0
  Dest Port        : 0
  Protocol Num     : 0
  Attack Pack Time : 2014-01-11 21:49:00
  Attack Trace Data:    
     ff ff ff ff ff ff 10 c3 7b 46 5a 05 08 06 00 01 08 00 06 04 00 01 10 c3 7b
     46 5a 05 0a 1e f6 50 00 00 00 00 00 00 0a 1e f6 54 00 00 00 00 00 00 00 00
     00 00 00 00 00 00 00 00 00
  ----------------------------------
  No 2 Packet Info:
  Interface Name   : GigabitEthernet2/1/0
  PeVlanid         : 0
  CeVlanid         : 0
  Attack Type      : Application apperceive
  Source Ip        : 10.30.246.66
  Dest Ip          : 224.0.0.18         
  Source Port      : 0
  Dest Port        : 0
  Protocol Num     : 112
  Attack Pack Time : 2014-01-11 21:49:00
  Attack Trace Data:    
     01 00 5e 00 00 12 00 00 5e 00 01 0a 08 00 45 c0 00 28 f4 e9 00 00 ff 70 e5
     48 0a 1e f6 42 e0 00 00 12 21 0a 78 01 00 01 66 93 0a 1e f6 41 00 00 00 00
     00 00 00 00 00 00 00 00 00
  ----------------------------------
  No 3 Packet Info:
  Interface Name   : GigabitEthernet2/1/0
  PeVlanid         : 0
  CeVlanid         : 0
  Attack Type      : Application apperceive
  Source Ip        : 10.30.246.66
  Dest Ip          : 224.0.0.18
  Source Port      : 0
  Dest Port        : 0
  Protocol Num     : 112
  Attack Pack Time : 2014-01-11 21:49:00
  Attack Trace Data:                    
     01 00 5e 00 00 12 00 00 5e 00 01 0a 08 00 45 c0 00 28 f4 91 00 00 ff 70 e5
     a0 0a 1e f6 42 e0 00 00 12 21 0a 78 01 00 01 66 93 0a 1e f6 41 00 00 00 00
     00 00 00 00 00 00 00 00 00

END