VDSL users of MA5300 attached to MA5200F get offline abnormally due to attack on MA5200F

Publication Date:  2012-07-27 Views:  104 Downloads:  0
Issue Description
At a site, partial VDSL users of MA5300 attached to MA5200F (with release of 7127SP08) get offline abnormally.  

Alarm Information
  By checkup, it is found that MA5200F records that users get offline because of PPP Echo Fail, with the specific records as:

User name : a02259816431@pppoe
  
User MAC : 000a-ebd3-db4d
  User access type : ppp
  User access slot : 0
 
User port type : Ethernet
 
User access port : 3
 
User access Vlan : 365
 
User IP address : 221.238.4.11
 
User ID : 137
 
User authen state : Authened
 
User acct state : AcctIdle
 
User author state : AuthorIdle
  User acct sessionID: TianDaK050621082622e12af16400137
 
User login time : 2005/06/21 17:26:22
 
User offline time : 2005/06/21 17:30:5
  User offline reason: PPP echo fail

 

Handling Process
 Change the running mode of MA5200F to Simple model and reset the system; after observation for a while, failure does not occur again.  

Root Cause
  The record should be PPP user request if the user gets offline normally;

For PPP users, BAS equipments need to work together with PPP client to manage the online information of users via PPP Echo packets. When MA5200F keeps a user online, it will send PPP Echo packet every 20 seconds by default, and it will repeat three times if no response is received from client. Users get offline because of PPP Echo Fail, resulting from the following facts:

1. PPP client crashes or Modem is powered down, so PPP client is incapable to respond to PPP Echo packets;
2. VDSL ports are re-synchronized;
3. Networking of layer2 network attached to port of MA5200F is not reasonable, and multiple users share the same VLAN in which there are too many packets, resulting in that PPP Echo packets sent by MA5200F cannot have response within 60 seconds; the MA5300 at the site specifies a VLAN for a user;
4. If MA5200F system is attacked, and occupation rate of CPU is too high, it will result in scarcity in resources to maintain PPP Echo packets of users attached. From the log of system, the MA5200F receives abundant abnormal packets from the 6th port (attached with the port of the failed site), with the following alarm information:
# [06/20/2005 23:12:06-] AAA-5-02042003:
Host packet singular IP:221.238.4.14 MAC:0008-0d9e-a715 Portvlan:FE6-514
# [06/20/2005 23:04:39-] AAA-5-02042003:
Host packet singular IP:221.238.4.45 MAC:0000-f082-ed49 Portvlan:FE6-342
# [06/20/2005 23:02:12-] AAA-5-02042003:
Host packet singular IP:221.238.4.14 MAC:0008-0d9e-a715 Portvlan:FE6-514
# [06/20/2005 22:52:18-] AAA-5-02042003:
Host packet singular IP:221.238.4.14 MAC:0008-0d9e-a715 Portvlan:FE6-514
# [06/20/2005 22:42:24-] AAA-5-02042003:
Host packet singular IP:221.238.4.14 MAC:0008-0d9e-a715 Portvlan:FE6-514
# [06/20/2005 22:22:50-] AAA-5-02042003:
Host packet singular IP:221.238.4.140 MAC:0005-5d86-7f58 Portvlan:FE6-180
# [06/20/2005 22:22:35-] AAA-5-02042003:
Host packet singular IP:221.238.4.14 MAC:0008-0d9e-a715 Portvlan:FE6-514

Generally, if MA5200F runs in normal model, once it is attacked by virus from attached users, the occupation rate of CPU will reach 80%-90, resulting in that VDSL users accessed to MA5300 get offline.

Suggestions

1. In case NAT etc services are not used, it is suggested to change the running mode of MA5200F to Simple model so as to decrease the  occupation rate of CPU; the method is to execute bootload simple-version command in system view, and the system could run in Simple mode as soon as the system is reset after configuration;

2. After changing the system mode to Simple, it is suggested to configure virus-proof ACL at MA5200F to lessen the impact from virus on system, with the detailed configurations as follows:

acl number 3000 match-order auto
   rule 0 deny tcp destination-port eq 445
  
rule 24 deny tcp destination-port eq 5800
  
rule 28 deny tcp destination-port eq 5900
  
rule 32 deny tcp destination-port eq 1000
  
rule 36 deny tcp destination-port eq 9995
   rule 40 deny tcp destination-port eq 9996
  
rule 44 deny tcp destination-port eq 5554
  
rule 48 deny tcp destination-port eq 1068
  
rule 52 deny udp destination-port eq netbios-ns
  
rule 56 deny udp destination-port eq netbios-dgm
  
rule 60 deny udp destination-port eq netbios-ssn
  
rule 64 deny tcp destination-port eq 539
  
rule 68 deny udp destination-port eq 445
  
rule 72 deny udp destination-port eq tftp
  
rule 76 deny tcp destination-port eq 4444
  
rule 80 deny udp destination-port eq 6667
  
rule 84 deny tcp destination-port eq 1025
  
rule 88 deny tcp destination-port eq 1418
  
rule 8 deny tcp destination-port eq 136
  
rule 12 deny tcp destination-port eq 137
  
rule 16 deny tcp destination-port eq 138
  
rule 25 net-user deny tcp source-port eq 5800
  
rule 29 net-user deny tcp source-port eq 5900
  
rule 1 net-user deny tcp destination-port eq 445
  
rule 33 net-user deny tcp destination-port eq 1000
  
rule 37 net-user deny tcp destination-port eq 9995
  
rule 41 net-user deny tcp destination-port eq 9996
  
rule 45 net-user deny tcp destination-port eq 5554
  
rule 49 net-user deny tcp destination-port eq 1068
  
rule 53 net-user deny udp destination-port eq netbios-ns 
   
rule 57 net-user deny udp destination-port eq netbios-dgm
  
rule 61 net-user deny udp destination-port eq netbios-ssn
  
rule 65 net-user deny tcp destination-port eq 539
  
rule 69 net-user deny udp destination-port eq 445
  
rule 73 net-user deny udp destination-port eq tftp
  
rule 77 net-user deny tcp destination-port eq 4444
  
rule 81 net-user deny udp destination-port eq 6667
  
rule 85 net-user deny tcp destination-port eq 1025
  
rule 89 net-user deny tcp destination-port eq 1418
  
rule 9 net-user deny tcp destination-port eq 136
  
rule 13 net-user deny tcp destination-port eq 137
  
rule 17 net-user deny tcp destination-port eq 138
  
rule 2 user-net deny tcp destination-port eq 445
  
rule 26 user-net deny tcp destination-port eq 5800
  
rule 30 user-net deny tcp destination-port eq 5900
  
rule 34 user-net deny tcp destination-port eq 1000
  
rule 38 user-net deny tcp destination-port eq 9995
  
rule 42 user-net deny tcp destination-port eq 9996
  
rule 46 user-net deny tcp destination-port eq 5554
  
rule 50 user-net deny tcp destination-port eq 1068
  
rule 54 user-net deny udp destination-port eq netbios-ns
  
rule 58 user-net deny udp destination-port eq netbios-dgm
  
rule 62 user-net deny udp destination-port eq netbios-ssn
  
rule 66 user-net deny tcp destination-port eq 539
  
rule 70 user-net deny udp destination-port eq 445
  
rule 74 user-net deny udp destination-port eq tftp
  
rule 78 user-net deny tcp destination-port eq 4444
  
rule 82 user-net deny udp destination-port eq 6667
  
rule 86 user-net deny tcp destination-port eq 1025
  
rule 90 user-net deny tcp destination-port eq 1418
  
rule 10 user-net deny tcp destination-port eq 136
  
rule 14 user-net deny tcp destination-port eq 137
  
rule 18 user-net deny tcp destination-port eq 138
  
rule 3 user-user deny tcp destination-port eq 445
  
rule 27 user-user deny tcp destination-port eq 5800 
  
rule 31 user-user deny tcp destination-port eq 5900
  
rule 35 user-user deny tcp destination-port eq 1000
  
rule 39 user-user deny tcp destination-port eq 9995
  
rule 43 user-user deny tcp destination-port eq 9996
  
rule 47 user-user deny tcp destination-port eq 5554 
   
rule 51 user-user deny tcp destination-port eq 1068
  
rule 55 user-user deny udp destination-port eq netbios-ns
  
rule 59 user-user deny udp destination-port eq netbios-dgm
  
rule 63 user-user deny udp destination-port eq netbios-ssn
  
rule 67 user-user deny tcp destination-port eq 539
  
rule 71 user-user deny udp destination-port eq 445
  
rule 75 user-user deny udp destination-port eq tftp
  
rule 79 user-user deny tcp destination-port eq 4444 
   
rule 83 user-user deny udp destination-port eq 6667
  
rule 87 user-user deny tcp destination-port eq 1025
  
rule 91 user-user deny tcp destination-port eq 1418
  
rule 15 user-user deny tcp destination-port eq 137
  
rule 19 user-user deny tcp destination-port eq 138
  
rule 11 user-user deny tcp destination-port eq 136

Apply the rules globally, with the command as : [MA5200F]access-group 3000

END