源MAC地址固定的ARP报文攻击的定位方法

发布时间:  2015-04-12 浏览次数:  390 下载次数:  0
问题描述

如图S9703做网关,S9703-1下用户上网掉线,用户ping网关存在时延、不通现象,且S9703-1经常脱管,而S9703-2下联业务正常,且ping网关正常。

网络设备CPU占有率较高,部分ARP无法正常学习,PING有时延、丢包或不通的现象,业务方面会发生用户掉线、用户上网慢、设备脱管、甚至业务中断等现象。

 

告警信息

处理过程

1、判断设备CPU占用率是否较高,查看ARP是否学习不到
[Quidway]display cpu-usage
CPU Usage Stat. Cycle: 10 (Second)
CPU Usage         : 68% Max: 99%
CPU Usage Stat. Time : 2010-12-18  15:35:56
CPU utilization for five seconds: 68%: one minute: 60%: five minutes: 55%.

[Quidway]display arp
IP ADDRESS  MAC ADDRESS EXPIRE(M) TYPE VPN-INSTANCE   INTERFACE  
                                            VLAN/CEVLAN
------------------------------------------------------------------------------------------------------
10.137.222.139  00e0-fc01-4422            I -         Eth0/0/0
10.137.222.1    0025-9e36-e8c1  20        D-0         Eth0/0/0
10.137.222.100  0025-9e80-b278  6         D-0         Eth0/0/0
10.137.222.99   00e0-4c77-b0e1  9         D-0         Eth0/0/0
10.137.222.173  000f-3d80-cba4  18        D-0         Eth0/0/0
10.137.222.34   0025-9e36-e8c1  1         D-0         Eth0/0/0
10.137.222.172  0016-ec71-ea8c  7         D-0         Eth0/0/0
10.137.222.35   0025-9e36-e8c1  18        D-0         Eth0/0/0
10.137.222.179  0014-2ae2-3128  20        D-0         Eth0/0/0
10.137.222.38   0025-9e36-e8c1  17        D-0         Eth0/0/0
10.137.222.175  0014-2261-2b22  1         D-0         Eth0/0/0
50.1.1.3        Incomplete      1         D-0         GE5/0/0
                                           500/-         
50.1.1.2        Incomplete      1         D-0         GE5/0/0
                                           500/-    
6.1.1.2         00e0-fc01-4422            I -         Vlanif6
10.0.0.139      00e0-fc01-4422            I -         Vlanif10
192.0.0.4       00e0-fc01-4422            I -         Vlanif192
20.1.1.1        00e0-fc01-4422            I -         Vlanif200
192.168.2.2     00e0-fc01-4422            I -         Vlanif100
------------------------------------------------------------------------------------------------------
Total:16        Dynamic:10      Static:0    Interface:6   

2、判断设备是否正遭受ARP攻击,可通过查看单板和全局的cpcar计数来确定。
[Quidway]display cpu-defend arp-request statistics all
Statistics on mainboard:
------------------------------------------------------------------------------------------------------------------
Packet Type         Pass(Bytes)       Drop(Bytes)   Pass(Packets)     Drop(Packets)
------------------------------------------------------------------------------------------------------------------
arp-request            67908288            0         1061067               0
------------------------------------------------------------------------------------------------------------------
Statistics on slot 4:
------------------------------------------------------------------------------------------------------------------
Packet Type         Pass(Bytes)       Drop(Bytes)   Pass(Packets)     Drop(Packets)
------------------------------------------------------------------------------------------------------------------
arp-request            80928            44380928          2301         693450
------------------------------------------------------------------------------------------------------------------
Statistics on slot 5:
------------------------------------------------------------------------------------------------------------------
Packet Type         Pass(Bytes)       Drop(Bytes)   Pass(Packets)     Drop(Packets)
------------------------------------------------------------------------------------------------------------------
arp-request                 N/A          N/A               0               0
------------------------------------------------------------------------------------------------------------------
Statistics on slot 6:
------------------------------------------------------------------------------------------------------------------
Packet Type         Pass(Bytes)       Drop(Bytes)   Pass(Packets)     Drop(Packets)
------------------------------------------------------------------------------------------------------------------
arp-request                 N/A          N/A               0               0
------------------------------------------------------------------------------------------------------------------

该命令可以查看多次,比如1秒执行一次,查看多次执行的结果。如上显示,如果Drop(Packets)计数增加很快,比如1秒钟Drop上百个,这说明设备正在遭受ARP攻击,上送的ARP报文已经超过了设备配置的CPCAR范围,攻击ARP报文可能已经挤掉了正常ARP报文,则部分ARP可能学习很困难。

3、确定攻击源
方法一:通过auto-defend功能识别攻击源
首先,配置防攻击策略(系统视图):
cpu-defend policy test
auto-defend enable
auto-defend attack-packet sample 5  - 每5个报文抽样识别一次,抽样值过小会消耗过多CPU
auto-defend threshold 30          - 报文达30pps即被识别为攻击,若攻击源较多可调低该值
auto-defend trace-type source-mac  - 基于源MAC进行攻击源识别
auto-defend protocol arp          - 针对ARP攻击进行识别

然后,防攻击策略应用(系统视图):
cpu-defend-policy test  - 盒式设备不需要此配置
cpu-defend-policy test global

最后,通过命令display auto-defend attack-source [slot 1-12]查看攻击源的MAC:
Attack Source User Table (MPU): 
------------------------------------------------------------------------------------------------
  MacAddress       InterfaceName      Vlan:Outer/Inner      TOTAL
------------------------------------------------------------------------------------------------
0000-0000-00db   GigabitEthernet2/0/22         193           416
------------------------------------------------------------------------------------------------
注意:识别的MAC中可能包含网关的MAC地址,需要注意剔除。

方法二:分析上送cpu的报文,确定攻击源
进入隐藏模式_hidecmd,使用catch命令来查看上送CPU的报文。
可以先使用catch receive statistic eth-type命令基于以太类型来查看上送的ARP报文是否很多,建议1秒钟一次,连续三次查看arp报文。
[Quidway-hidecmd]catch receive statistic eth-type slot 2
[Quidway-hidecmd]
The packet statistic direction to display is RECEIVE!
Packet from slot 2 all port !
Ethernet type information list here!
Ethtype = 0800 ---- num = 5
Ethtype = 0806 ---- num = 865
[Quidway-hidecmd]display catch receive statistic
[Quidway-hidecmd]
The packet statistic direction to display is RECEIVE!
Packet from slot 2 all port !
Ethernet type information list here!
Ethtype = 0800 ---- num = 7
Ethtype = 0806 ---- num = 973
[Quidway-hidecmd]display catch receive statistic
[Quidway-hidecmd]
The packet statistic direction to display is RECEIVE!
Packet from slot 2 all port !
Ethernet type information list here!
Ethtype = 0800 ---- num = 7
Ethtype = 0806 ---- num = 1027   

使用catch receive dump命令基于以太类型0806捕获上送CPU的ARP报文
[Quidway-hidecmd]catch receive dump eth-type 0806 slot 2
[Quidway-hidecmd]display catch receive dump
[Quidway-hidecmd]
The packet content direction to display is RECEIVE,
packet num is 810!
Packet from slot 2 all port !
Ethernet type = 0806 packet dump here!
Number 1!
ff ff ff ff ff ff 00 00 00 00 00 db 81 00 00 c1
08 06 00 01 08 00 06 04 00 01 00 00 00 00 00 00
c6 13 02 03 00 00 00 00 00 00 c6 13 01 01 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 07 50 27 00 03

Number 2!
ff ff ff ff ff ff 00 00 00 00 00 db 81 00 00 c1
08 06 00 01 08 00 06 04 00 01 00 00 00 00 00 00
c6 13 02 03 00 00 00 00 00 00 c6 13 01 01 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 07 50 27 00 03

Number 3!
ff ff ff ff ff ff 00 00 00 00 00 db 81 00 00 c1
08 06 00 01 08 00 06 04 00 01 00 00 00 00 00 00
c6 13 02 03 00 00 00 00 00 00 c6 13 01 01 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 07 50 27 00 03

Number 4!
ff ff ff ff ff ff 00 00 00 00 00 3d 81 00 00 c1
08 06 00 01 08 00 06 04 00 01 00 00 00 00 00 00
c6 13 01 02 00 00 00 00 00 00 c6 13 01 01 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 07 50 27 00 04                                                        
                   
通过如上步骤可以看到源MAC为00 00 00 00 00 db的ARP报文相当多,属于源MAC固定的ARP攻击报文,下一步我们就需要分析出攻击端口。

4、查询源MAC对应的端口
[Quidway]display mac-address 0000-0000-00db
MAC address table on slot 2:
---------------------------------------------------------------------------------------------------------------------------
MAC Address    VLAN/       PEVLAN CEVLAN  Port      Type      LSP/
               VSI/SI                                              MAC-Tunnel
---------------------------------------------------------------------------------------------------------------------------
0000-0000-00db  193             -      -       GE2/0/22    dynamic   -
---------------------------------------------------------------------------------------------------------------------------
Total matching items on slot 2 displayed = 1    
如果该MAC有对应ARP,还可以查询对应的IP:
[Quidway]display arp | include 0000-0000-00db
IP ADDRESS MAC ADDRESS  EXPIRE(M) TYPE INTERFACE  VPN-INSTANCE VLAN/CEVLAN
-----------------------------------------------------------------------------------------------------------------------------------
-----------------------------------------------------------------------------------------------------------------------------------
Total:29        Dynamic:7       Static:0    Interface:22
                                  

根因
S9703-1内网源MAC固定的ARP攻击导致正常用户无法进行ARP交互。
解决方法:阻断攻击源,针对攻击源下黑洞MAC或者使用auto-defend自动防御功能。
解决方案
配置针对源MAC地址的ARP报文速率抑制的功能。
在一段时间内,如果S9300收到某一源MAC地址的ARP报文数目超过设定阈值,则不处理超出阈值部分的ARP请求报文。
#
arp speed-limit source-mac [ mac_addr ] maximum maximum
undo arp speed-limit source-mac [ mac_addr ]
#
注:该命令由控制平面进行抑制,可以缓解CPU过高,但不能解决流量攻击导致带宽占用问题。
建议与总结
配置针对源MAC地址的ARP报文速率抑制的功能。
在一段时间内,如果S9300收到某一源MAC地址的ARP报文数目超过设定阈值,则不处理超出阈值部分的ARP请求报文。
#
arp speed-limit source-mac [ mac_addr ] maximum maximum
undo arp speed-limit source-mac [ mac_addr ]
#
注:该命令由控制平面进行抑制,可以缓解CPU过高,但不能解决流量攻击导致带宽占用问题。

END