S12700设备(V200R009C00版本)作WLAN AC,无线用户认证通过后,无法访问网络

发布时间:  2016-05-04 浏览次数:  164 下载次数:  0
问题描述
S12700设备作WLAN AC,无线用户认证通过后可以上网,这时打开某视频APP观看视频,一段时间后(约1-2分钟)发现无法访问网络,再等待一段时间(约3-4分钟),又可以继续上网。
告警信息

Apr 28 2016 11:55:06 XXXXXXXX-Core-S12708 %%01SECE/4/STRACK_DENY(l)[2]:Some packets are dropped because an attack is detected.(Interface=XGigabitEthernet1/7/0/47, sourceMAC=xxxx-xxxx-5a7f, sourceIP=0.0.0.0, CVLAN=0, PVLAN=0)
Apr 28 2016 11:55:06 XXXXXXXX-Core-S12708 %%01SECE/4/USER_ATTACK(l)[3]:User attack occurred.(Slot=LPU7, SourceAttackInterface=XGigabitEthernet1/7/0/47, OuterVlan/InnerVlan=1001/0, UserMacAddress=xxxx-xxxx-5a7f, AttackProtocol=ARP AttackPackets=190 packets per second)
Apr 28 2016 11:54:39 XXXXXXXX-Core-S12708 %%01SECE/4/STRACK_DENY(l)[5]:Some packets are dropped because an attack is detected.(Interface=GigabitEthernet1/8/0/24, sourceMAC=xxxx-xxxx-10ad, sourceIP=0.0.0.0, CVLAN=0, PVLAN=0)
Apr 28 2016 11:54:39 XXXXXXXX-Core-S12708 %%01SECE/4/USER_ATTACK(l)[6]:User attack occurred.(Slot=LPU8, SourceAttackInterface=GigabitEthernet1/8/0/24, OuterVlan/InnerVlan=1001/0, UserMacAddress=xxxx-xxxx-10ad, AttackProtocol=ARP AttackPackets=80 packets per second)
Apr 28 2016 11:53:57 XXXXXXXX-Core-S12708 %%01SECE/4/STRACK_DENY(l)[9]:Some packets are dropped because an attack is detected.(Interface=GigabitEthernet1/8/0/24, sourceMAC=xxxx-xxxx-10ad, sourceIP=0.0.0.0, CVLAN=0, PVLAN=0)
Apr 28 2016 11:53:57 XXXXXXXX-Core-S12708 %%01SECE/4/USER_ATTACK(l)[10]:User attack occurred.(Slot=LPU8, SourceAttackInterface=GigabitEthernet1/8/0/24, OuterVlan/InnerVlan=1001/0, UserMacAddress=xxxx-xxxx-10ad, AttackProtocol=ARP AttackPackets=190 packets per second)
Apr 28 2016 11:53:50 XXXXXXXX-Core-S12708 %%01SECE/4/STRACK_DENY(l)[12]:Some packets are dropped because an attack is detected.(Interface=GigabitEthernet2/8/0/9, sourceMAC=xxxx-xxxx-856b, sourceIP=0.0.0.0, CVLAN=0, PVLAN=0)
Apr 28 2016 11:53:50 XXXXXXXX-Core-S12708 %%01SECE/4/USER_ATTACK(l)[13]:User attack occurred.(Slot=LPU20, SourceAttackInterface=GigabitEthernet2/8/0/9, OuterVlan/InnerVlan=1001/0, UserMacAddress=xxxx-xxxx-856b, AttackProtocol=ARP AttackPackets=275 packets per second)
处理过程

1、日志存在告警信息,显示网络中有ARP攻击,首先查看攻击溯源历史记录

<XXXXXXXX-Core-S12708>display auto-defend attack-source history slot 1/8

  S : start time
  E : end time

  Attack History User Table (LPU1/8):
  ------------------------------------------------------------------------------
  AttackTime            MacAddress     IFName         Vlan:O/I  Protocol    PPS
  ------------------------------------------------------------------------------
  S:2016-04-27 14:27:26 xxxx-xxxx-10ad GE1/8/0/24     1001      ARP         185
  E:2016-04-27 14:32:32
  S:2016-04-27 14:26:19 xxxx-xxxx-920a GE1/8/0/10     1001      ARP         200
  E:-                 

2、由于用户终端大量发送ARP报文,速率超过交换机攻击溯源阈值60pps,触发交换机攻击溯源机制,

交换机针对该设备进行惩罚,默认惩罚时间为5min,期间会丢弃所有从该设备发送ARP报文。

3、查看cpu-defend配置,使用默认配置

cpu-defend policy defend_arp_slot
auto-defend trace-type source-mac
auto-defend protocol arp
auto-defend whitelist 1 acl 4000

所以当终端上的ARP表项老化后(实测大概1-2分钟),默认惩罚时间没有超时,

终端重新发往网关的正常ARP_request报文也会被丢弃,导致无法访问网络。

默认惩罚时间5min时后,终端又可以访问网络。

根因

由于用户终端使用某视频APP会大量发送ARP报文,触发交换机攻击溯源机制,导致交换机丢弃从该用户终端发送ARP报文,惩罚时间默认为5min,

当终端上ARP老化后,用户终端重新发送ARP报文请求网关地址,而此时针对该用户的惩罚时间没有超时,用户ARP报文被丢弃,导致无法正常上网,

当交换机上惩罚时间超时后,用户就可以恢复上网。

解决方案

触发交换机的攻击溯源机制时,降低针对用户的惩罚时间为30s,保证在终端ARP老化前惩罚机制失效。

cpu-defend policy defend_arp_slot
auto-defend action deny timer 30

END