求助:ERX1400受到攻击如何解决
ERX1400作为BARS,下挂S8508,其中S8508只做2层使用,最近陆续收到用户反应一边下载一边PING 网关丢包的事,具体情况如下:首先用户单独ping网关,可以ping通时延也正常;用户下载测速也可以达到速率要求;一边下载一边PING 网关出现比较严重的丢包。到机房实际测试:1·选2个空闲端口都配成10M,一个是全双工一个是自适应,分配几个不同网段的地址,均出现用户反应的情况;2·选一个用户量相当的机房做测试,此时用华为的5200G做BARS,下挂S8508,做类似于1的操作,没有出现丢包的情况。所以基本排出S8508的问题
登陆到ERX1400上,使用命令 show ip traffic,得到结果如下
Rcvd: 2578589197086 total, 268438974 local destination
8008181 hdr errors, 147 addr errors
42339109 unkn proto, 4900977788 discards
193371442 multicast
Sent: 2483585779204 forwarded, 98626734 generated, 0 out disc
36787972 no routes,0 routing discards
0 multicast forwarded
Local Frags: 660 reassembled, 12983 reasm req
9898 reasm fails, 607231078 frag ok, 0 frag fail
1214463455 frag creates
Route: 3692 routes in table
ICMP statistics:
Rcvd: 472214924 total, 31872 errors, 70606 dst unreach
33319 time exceed, 12 param probs, 1096 src quench
13081 redirects, 471993718 echo req, 71212 echo rpy
2 timestamp req, 0 timestamp rpy
6 addr mask req, 0 addr mask rpy
Sent: 542647867 total, 0 errors, 36787972 dest unreach
65933417 time excd, 0 param prob, 0 src quench
1550 redirects, 70073 echo req, 471993718 echo rpy
0 timestamp req, 0 timestamp rpy
0 addr mask req, 0 addr mask rpy
UDP Statistics:
Rcvd: 50459059 total, 559 checksum errors, 36815478 no port
Sent: 11576809 total, 0 errors
TCP Global Statistics:
Connections: 1984 attempted, 214128 accepted, 215167 established
15 dropped, 216120 closed, 5 currently established
Rcvd: 33408967 total pkts, 148345 in-sequence pkts, 1086133 bytes
6 chksum err pkts, 0 authentication err pkts, 928 bad offset pkts
0 short pkts, 5874 duplicate pkts, 205106 out of order pkts
Sent: 930959 total pkts, 175158 data pkts, 17766280 bytes
446 retransmitted pkts, 87768 retransmitted bytes
同时,登陆到一个正常的ERX上show ip traffic 得到结果如下:
Rcvd: 1288222598021 total, 245794138 local destination
23228964 hdr errors, 2836 addr errors
11451282 unkn proto, 9701889252 discards
190584156 multicast
Sent: 1097542838630 forwarded, 206545023 generated, 0 out disc
19769387 no routes,0 routing discards
0 multicast forwarded
Local Frags: 2590 reassembled, 13663 reasm req
6370 reasm fails, 1066269123 frag ok, 19765746 frag fail
2132547117 frag creates
Route: 4781 routes in table
ICMP statistics:
Rcvd: 56097175 total, 28350 errors, 47981395 dst unreach
10678 time exceed, 0 param probs, 136 src quench
453 redirects, 7149636 echo req, 926518 echo rpy
4 timestamp req, 0 timestamp rpy
5 addr mask req, 0 addr mask rpy
Sent: 137380473 total, 0 errors, 29183970 dest unreach
117078619 time excd, 0 param prob, 0 src quench
132 redirects, 915368 echo req, 7149636 echo rpy
0 timestamp req, 0 timestamp rpy
0 addr mask req, 0 addr mask rpy
UDP Statistics:
Rcvd: 49542401 total, 2194 checksum errors, 67732771 no port
Sent: 144723785 total, 0 errors
TCP Global Statistics:
Connections: 4863 attempted, 2806 accepted, 7371 established
11 dropped, 7665 closed, 5 currently established
Rcvd: 9864898 total pkts, 409282 in-sequence pkts, 1517934 bytes
0 chksum err pkts, 0 authentication err pkts, 260 bad offset pkts
0 short pkts, 524 duplicate pkts, 6161 out of order pkts
Sent: 875525 total pkts, 695149 data pkts, 153402644 bytes
547 retransmitted pkts, 282966 retransmitted bytes
比较两个结果,发现TCP Global Statistics 的值差别很大,猜测可能是TCP/IP攻击所致,用show ip traffic显示时ICMP statistics: Rcvd: 56097175 total 变化很大,是正常ERX的数十倍,猜测可能受到ICMP攻击。
求牛人帮助分析解决,不胜感激
另外 show utilization 得到结果如下
Please wait....
System Resource Utilization
---------------------------
heap cpu bw
slot type (%) (%) exceed
---- -------- ---- --- ------
0 --- --- --- ---
1 --- --- --- ---
2 GE 29 12 ---
3 --- --- --- ---
4 GE 25 7 ---
5 --- --- --- ---
6 SRP-10Ge 8 2 ---
7 SRP-10Ge 12 51 ---
8 --- --- --- ---
9 --- --- --- ---
10 GE 25 100 ---
11 --- --- --- ---
12 GE 25 8 ---
13 --- --- --- ---
第十板和S8508相连,用于网吧用户接入
2001-2007 Comsenz Inc.
