R3640: Abnormal Operation of the Network Interface at Hacker’s Attack

Publication Date:  2012-07-27 Views:  112 Downloads:  0
Issue Description
Fault symptom Networking overview: 1) The R3640 is configured with two Ethernet interfaces. One of the Ethernet interfaces E0 is connected with a layer-3 desktop switch, having a public network IP address and acting as the egress that connects the Internet. 2) The Ethernet interface E1 connects to the internal private network users through the layer-2 switch, with the address as 172.16.xxx.xxx. 3) The internal private network users use the IP POOL with 16 public network addresses to conduct NAT conversion. Fault phenomenon: 1) The desktop switch connected with the network interface of the R3640 has a high network interface utilization, while the user traffic on the R3640 is not large. 2) Log on to the R3640 and execute ?isplay interface? You will find incoming traffic on the interface Eth0 differs greatly with outgoing traffic on the interface Eth1, which is quite abnormal.
Handling Process
Solution 1) The users can gain access to the Internet normally, so the NAT functions and route forwarding are normal. 2) Judging from DEBUG IP ICMP and DEBUG IP PACKET IP: Version = 4, HdrLen = 5, TOS = 0, Total Len = 1500 ID = 59736, Offset = 0, TTL = 1, Protocol = 6, Chksum = 53780 s = 216.153.162.xxx, d = 218.104.xxx.xxx, if = Ethernet0, Received A large number of TTL = 1ICMP packets continuously send packets to a public network address in the IP POOL that conducts NAT conversion. It makes E0 excessively busy and have a large traffic. 3) Delete the attacked address in the IP POOL. Execute CLEAR PORT E0, CLEAR PORT E1, and then display interface, it is found that the traffic on E0 and E1 is basically consistent and the network interface utilization of the upper layer desktop switch returns to normal.
Root Cause
Theoretically, the incoming traffic on E0 and the outgoing traffic on E1 should be basically the same. Otherwise, it is probably: 1) The incoming traffic on E0 connected with WAN is not forwarded to E1. 2) The port of the equipment incurs fault.