S9312 主控板用console线登录不上,主备倒换之后,主变成备,这个时候就可以登上

发布时间:  2016-10-07 浏览次数:  254 下载次数:  0
问题描述
S9312 主控板用console线登录不上,主备倒换之后,主变成备,这个时候就可以登上
处理过程

1、问题前后一直在记录多个IP大量Telnet登陆失败的日志:

 

Mar 15 2016 11:37:48 S9312-S1-Netdc %%01SHELL/4/LOGINFAILED(l)[28895]:Failed to login. (Ip=179.41.161.11, UserName=root, Times=1, AccessType=TELNET)

Mar 15 2016 11:38:04 S9312-S1-Netdc %%01SHELL/4/LOGINFAILED(l)[28898]:Failed to login. (Ip=171.233.237.2, UserName=root, Times=1, AccessType=TELNET)

Mar 15 2016 11:38:14 S9312-S1-Netdc %%01SHELL/4/LOGINFAILED(l)[28900]:Failed to login. (Ip=80.25.127.226, UserName=root, Times=1, AccessType=TELNET)

Mar 15 2016 11:38:28 S9312-S1-Netdc %%01SHELL/4/LOGINFAILED(l)[28901]:Failed to login. (Ip=14.181.100.187, UserName=root, Times=1, AccessType=TELNET)

Mar 15 2016 11:38:33 S9312-S1-Netdc %%01SHELL/4/LOGINFAILED(l)[28902]:Failed to login. (Ip=185.93.185.246, UserName=root, Times=1, AccessType=TELNET)

Mar 15 2016 11:38:38 S9312-S1-Netdc %%01SHELL/4/LOGINFAILED(l)[28904]:Failed to login. (Ip=118.72.191.106, UserName=root, Times=1, AccessType=TELNET)

Mar 15 2016 11:38:45 S9312-S1-Netdc %%01SHELL/4/LOGINFAILED(l)[28906]:Failed to login. (Ip=185.93.185.246, UserName=root, Times=1, AccessType=TELNET)

Mar 15 2016 11:47:48 S9312-S1-Netdc %%01SHELL/4/LOGINFAILED(l)[28951]:Failed to login. (Ip=78.20.172.236, UserName=root, Times=1, AccessType=TELNET)

 

2、slot1槽位记录了大量Arp Miss攻击日志:

 

Mar 15 2016 13:42:08 S9312-S1-Netdc %%01DEFD/6/CPCAR_DROP_MPU(l)[29225]:Rate of packets to cpu exceeded the CPCAR limit on the MPU. (Protocol=arp-miss, CIR/CBS=64/10000, ExceededPacketCount=521)

Mar 15 2016 13:42:09 S9312-S1-Netdc %%01DEFD/6/CPCAR_DROP_LPU(l)[29226]:Rate of packets to cpu exceeded the CPCAR limit on the LPU in slot 1. (Protocol=arp-miss, CIR/CBS=64/10000, ExceededPacketCount=91831)

 

Mar 15 2016 11:40:42 S9312-S1-Netdc %%01SECE/4/ARPMISS(l)[28918]:Attack occurred.(AttackType=Arp Miss Attack, SourceInterface=XGigabitEthernet1/0/0, SourceIP=113.108.21.16, AttackPackets=39 packets per second)

Mar 15 2016 11:45:51 S9312-S1-Netdc %%01SECE/4/ARPMISS(l)[28937]:Attack occurred.(AttackType=Arp Miss Attack, SourceInterface=XGigabitEthernet1/0/0, SourceIP=113.108.21.16, AttackPackets=33 packets per second)

Mar 15 2016 12:07:20 S9312-S1-Netdc %%01SECE/4/ARPMISS(l)[29004]:Attack occurred.(AttackType=Arp Miss Attack, SourceInterface=XGigabitEthernet1/0/0, SourceIP=113.108.21.16, AttackPackets=36 packets per second)

Mar 15 2016 12:12:29 S9312-S1-Netdc %%01SECE/4/ARPMISS(l)[29016]:Attack occurred.(AttackType=Arp Miss Attack, SourceInterface=XGigabitEthernet1/0/0, SourceIP=113.108.21.16, AttackPackets=33 packets per second)

Mar 15 2016 12:28:18 S9312-S1-Netdc %%01SECE/4/ARPMISS(l)[29049]:Attack occurred.(AttackType=Arp Miss Attack, SourceInterface=XGigabitEthernet1/0/0, SourceIP=113.108.21.16, AttackPackets=34 packets per second)

 

根因

设备因受到大量Telnet Arp Miss等协议报文攻击,导致CPU使用率过高,设备脱管,用户无法正常登陆设备。

解决方案

1、针对Telnet协议报文攻击

(1)分析登陆请求的IP是否合法, 如果攻击源不是合法IP地址, 可以使能攻击溯源自动惩罚功能;

(2)配置黑名单限制TelnetFTP的接入,只允许特定IP接入(具体命令可以参考产品手册)

 

2、针对Arp Miss报文攻击

(1)通过调整arp-misscpcar值来缓解

#

cpu-defend policy test

 car packet-type arp-miss cir 64 cbs 12032

#

slot 2

cpu-defend-policy test

#

(2)通过延长ARP假表老化时间来缓解CPU过高问题(注意:设置过大的假表老化时间,可能会导致arp学习不实时,导致数据流量丢失)

#

interface Vlanif500

arp-fake expire-time 30    -- 默认时间5s 

#

(3)确认攻击源IP(display arp anti-attack arpmiss-record-info)

配置基于源IPARP Miss限速,系统会自动识别超过速率的源IP且会自动下发ACL进行惩罚(默认情况下,所有IP地址的arp miss源抑制速率为5pps,默认惩罚时间为50)

END