February 11 2023 9:57:02 9303-1 %%01SECE/4/SPECIFY_SIP_ATTACK(l)[412]:The specified source IP address attack occurred.(Slot=LPU1, SourceAttackIP=80.82.78.27, AttackProtocol=TCP, AttackPackets=125 packets per second)
February 11 2023 9:57:02 9303-1 %%01SECE/4/SPECIFY_SIP_ATTACK(l)[413]:The specified source IP address attack occurred.(Slot=MPU, SourceAttackIP=80.82.78.27, AttackProtocol=TCP, AttackPackets=150 packets per second)查询设备
华为交换机:S9300
为什么会注意这个问题
某天发现,设备cpu使用率突然高了,而且一直平着走。
基础排除:日常流量都没有啥问题。
查看日志:发现以上代码,有几个地址段是频繁的在非正常访问attached,而且是多个C的地址段在轮训IP进行非正常访问attached。
<9303-1>display auto-defend attack-source history
Attack History User Table (MPU):
------------------------------------------------------------------------------
AttackTime MacAddress IFName Vlan:O/I Protocol PPS
------------------------------------------------------------------------------
Attack History IP Table (MPU):
----------------------------------------------------------------------------
AttackTime IPAddress Protocol
PPS
----------------------------------------------------------------------------
S:2023-02-10 23:42:46 89.248.163.36 TCP
95
E:2023-02-10 23:49:56
S:2023-02-10 23:45:20 80.82.70.217 TCP
165
E:2023-02-10 23:51:27
S:2023-02-10 23:51:14 89.248.163.59 TCP
165
E:2023-02-10 23:58:57
S:2023-02-10 23:59:22 103.25.30.1 ARP
150
E:2023-02-11 00:04:26
S:2023-02-11 00:07:02 89.248.163.209 TCP
110
E:2023-02-11 00:12:56
S:2023-02-11 00:15:55 89.248.163.157 TCP
175
E:2023-02-11 00:22:06
S:2023-02-11 01:00:16 89.248.163.209 TCP
65
E:2023-02-11 01:05:17
S:2023-02-11 01:12:26 89.248.163.59 TCP
145
E:2023-02-11 01:20:07
S:2023-02-11 01:15:04 89.248.163.36 TCP
85
E:2023-02-11 01:20:17
S:2023-02-11 01:38:15 89.248.163.36 TCP
120
E:2023-02-11 01:44:17
S:2023-02-11 01:40:13 89.248.163.59 TCP
125
E:2023-02-11 01:47:37
S:2023-02-11 01:50:00 89.248.163.154 TCP
150
E:2023-02-11 01:55:57
S:2023-02-11 02:00:45 89.248.163.36 TCP
90
E:2023-02-11 02:07:37
S:2023-02-11 02:06:12 89.248.163.59 TCP
140
E:2023-02-11 02:13:57
S:2023-02-11 02:24:46 89.248.163.36 TCP
85
E:2023-02-11 02:31:27
S:2023-02-11 02:36:41 89.248.163.59 TCP
110
E:2023-02-11 02:44:17
S:2023-02-11 03:21:55 89.248.163.157 TCP
165
E:2023-02-11 03:27:57
S:2023-02-11 03:36:13 89.248.163.159 TCP
90
E:2023-02-11 03:41:47
S:2023-02-11 04:55:50 89.248.163.157 TCP
120
E:2023-02-11 05:02:17
S:2023-02-11 05:43:00 89.248.165.99 TCP
260
E:2023-02-11 05:49:27
S:2023-02-11 05:43:23 89.248.165.246 TCP
225
E:2023-02-11 05:50:37
S:2023-02-11 05:44:25 89.248.165.68 TCP
280
E:2023-02-11 05:52:07
S:2023-02-11 06:30:53 89.248.163.150 TCP
140
E:2023-02-11 06:36:57
S:2023-02-11 06:40:46 89.248.163.159 TCP
85 过滤就打印ip列:利用linux
[root@localhost test]# cat test.txt | awk '{print $3}'
89.248.163.36
80.82.70.217
89.248.163.59
89.248.163.209
89.248.163.157
89.248.163.209
89.248.163.59
89.248.163.36
89.248.163.36
89.248.163.59
89.248.163.154
89.248.163.36
89.248.163.59
89.248.163.36
89.248.163.59
89.248.163.157
89.248.163.159
89.248.163.157
89.248.165.99
89.248.165.246
89.248.165.68
89.248.163.150
89.248.163.159
......
基于此了解到主要频繁attached的网段。手工进行干预
从官网查询类似方法
•配置黑名单禁止指定用户的协议报文上送
在发现某协议CPCAR速率异常增大时,可以怀疑有用户的异常大流量上送,此时通过获取报文可以定位出大流量用户流量的特征,如果是固定源IP或固定源MAC等特征,则可以通过配置黑名单阻止异常流量的上送。
禁止指定源固定IP上送报文
配置拒绝acl
acl number 3400
rule 10 permit ip source 89.248.163.0 0.0.0.255
rule 11 permit ip source 89.248.165.0 0.0.0.255
rule 12 permit ip source 92.63.196.0 0.0.0.255
rule 13 permit ip source 94.102.51.0 0.0.0.255
rule 14 permit ip source 80.82.70.0 0.0.0.255配置cpu-defend policy,应用blacklist调用acl
cpu-defend policy 1
blacklist 1 acl 3400全局应用
cpu-defend-policy 1 global过会观察
cpu使用率降低了。
找了一个类似的图,给展示一下,当时的图没有进行及时保存。
