博威---云架构决胜云计算

 找回密码
 注册

QQ登录

只需一步,快速开始

搜索
查看: 1959|回复: 1

华为交换机ARP病毒分析并解决方法(20070412阶段)

[复制链接]
发表于 2007-4-13 09:31:08 | 显示全部楼层 |阅读模式
ARP病毒分析并解决方法(20070412阶段)


前一段时间几乎被ARP病毒气死了,明明知道网内有机器中毒,乱发ARP包干扰网络,但就是不知道是谁,抓包也看不出来(可能与当时分析包的经验有关)。
经过一段时间的琢磨,终于在自己的网络中实现了ARP爆发后快速定位中毒发作机器,在第一时间内使问题得到控制并解决。

我的网络环境,核心交换机华为3928P-EI,8个vlan,分中心是3928P-SI,默认个vlan,1000余终端,开有DHCP服务,有solarwinds Orion平台。

另外,我用的抓包工具是那种不需要安装的《网络安全保障平台》,杀毒软件是dr.web 4.33。

先说一下我对ARP病毒的理解和所思考的应对方法:

ARP病毒发作时的工作方式:
1、中毒机器发送ARP广播,造成交换机ARP表混乱;
2、中毒机器发送ARP广播,造成其他电脑ARP表混乱;
3、中毒机器发送ARP欺骗,造成交换机ARP表混乱;
4、中毒机器发送ARP欺骗,造成其他电脑ARP表混乱;

特点:
1、由于一般交换机的ARP刷新时间为5分钟,所以中毒机器如果要用ARP干扰机器,必须较为频繁的发送ARP包;
2、由于中毒机器需要正常通信(这样才能与网络中的机器通信,我是这样理解的),所以,中毒机器自己的MAC与IP对应关系无论在交换机还是在本机上都是正确的(即使使用修改过后的MAC——注意1);
3、中毒机器可以连续有规律的发ARP包干扰网络通信,但这种方式容易被抓包发现;
4、中毒机器为干扰网络可以发送虚假(可以没有规律)的MAC地址与IP地址对应关系的ARP包,这种包理论上不需要太多,只要能干扰就行了;
5、如果中毒机器总发相同的MAC干扰包,那可能是人为控制的,即使不是人为控制,这种干扰方式更容易被发现;

;注意1,不管中毒机器是否修改本机MAC地址,总得是一个能通信的MAC;如果ARP病毒能随时修改本机MAC以隐藏自己,这就更加复杂和难以查找了;不过目前还没有遇到修改本机MAC的ARP病毒及其变种。

行动:
1、管理上:所有机器计算机名实名制;
2、技术上:发布Solariwinds Orion的Web页面;

操作:
1、在被监控的众多设备中,如果vlan内ARP病毒发作,那么该vlan内的被监控设备若被干扰到,应该会在监控页面上显示为断线(因为通信中断);这是判断ARP发作的必要条件;
2、发现有设备断线,需要telnet到核心或者分中心3928交换机上,打开“信息中心”(info-center enable),让交换机检测冲突,如有冲突,会有如下显示(借用了网友的信息,谢谢):

#May 10 21:15:01:261 2000 Quidway ARP/5/DUPIP:- 1 -IP address 92.168.10.185 collision detected, sourced by 0011-2550-10b2 on Ethernet1/0/8 of VLAN5 and 0010-c6a8-7ff1 on Ethernet1/0/10 of VLAN5
%May 10 21:15:01:264 2000 Quidway ARP/5/DUPIP:- 1 -IP address 92.168.10.185 collision detected, sourced by 0011-2550-10b2 on Ethernet1/0/8 of VLAN5 and 0010-c6a8-7ff1 on Ethernet1/0/10 of VLAN5
#May 10 21:15:10:777 2000 Quidway ARP/5/DUPIP:- 1 -IP address 92.168.10.185 collision detected, sourced by 0010-c6a8-7ff1 on Ethernet1/0/8 of VLAN5 and 0011-2550-10b2 on Ethernet1/0/8 of VLAN5
%May 10 21:15:10:779 2000 Quidway ARP/5/DUPIP:- 1 -IP address 92.168.10.185 collision detected, sourced by 0010-c6a8-7ff1 on Ethernet1/0/8 of VLAN5 and 0011-2550-10b2 on Ethernet1/0/8 of VLAN5
#May 10 21:15:19:557 2000 Quidway ARP/5/DUPIP:- 1 -IP address 92.168.10.186 collision detected, sourced by 0011-2550-10b2 on Ethernet1/0/8 of VLAN5 and 0050-04b7-0b3c on Ethernet1/0/10 of VLAN5
%May 10 21:15:19:560 2000 Quidway ARP/5/DUPIP:- 1 -IP address 92.168.10.186 collision detected, sourced by 0011-2550-10b2 on Ethernet1/0/8 of VLAN5 and 0050-04b7-0b3c on Ethernet1/0/10 of VLAN5
#May 10 21:15:29:79 2000 Quidway ARP/5/DUPIP:- 1 -IP address 92.168.10.186 collision detected, sourced by 0050-04b7-0b3c on Ethernet1/0/8 of VLAN5 and 0011-2550-10b2 on Ethernet1/0/8 of VLAN5
%May 10 21:15:29:81 2000 Quidway ARP/5/DUPIP:- 1 -IP address 92.168.10.186 collision detected, sourced by 0050-04b7-0b3c on Ethernet1/0/8 of VLAN5 and 0011-2550-10b2 on Ethernet1/0/8 of VLAN5
#May 10 21:15:37:857 2000 Quidway ARP/5/DUPIP:- 1 -IP address 92.168.10.187 collision detected, sourced by 0011-2550-10b2 on Ethernet1/0/8 of VLAN5 and 0016-e67b-a7e4 on Ethernet1/0/4 of VLAN5
%May 10 21:15:37:859 2000 Quidway ARP/5/DUPIP:- 1 -IP address 92.168.10.187 collision detected, sourced by 0011-2550-10b2 on Ethernet1/0/8 of VLAN5 and 0016-e67b-a7e4 on Ethernet1/0/4 of VLAN5
#May 10 21:15:47:376 2000 Quidway ARP/5/DUPIP:- 1 -IP address 92.168.10.187 collision detected, sourced by 0016-e67b-a7e4 on Ethernet1/0/8 of VLAN5 and 0011-2550-10b2 on Ethernet1/0/8 of VLAN5
%May 10 21:15:47:379 2000 Quidway ARP/5/DUPIP:- 1 -IP address 92.168.10.187 collision detected, sourced by 0016-e67b-a7e4 on Ethernet1/0/8 of VLAN5 and 0011-2550-10b2 on Ethernet1/0/8 of VLAN5
#May 10 21:15:56:150 2000 Quidway ARP/5/DUPIP:- 1 -IP address 92.168.10.188 collision detected, sourced by 0011-2550-10b2 on Ethernet1/0/8 of VLAN5 and 0014-2264-c948 on Ethernet1/0/4 of VLAN5
%May 10 21:15:56:153 2000 Quidway ARP/5/DUPIP:- 1 -IP address 92.168.10.188 collision detected, sourced by 0011-2550-10b2 on Ethernet1/0/8 of VLAN5 and 0014-2264-c948 on Ethernet1/0/4 of VLAN5
#May 10 21:16:05:666 2000 Quidway ARP/5/DUPIP:- 1 -IP address 92.168.10.188 collision detected, sourced by 0014-2264-c948 on Ethernet1/0/8 of VLAN5 and 0011-2550-10b2 on Ethernet1/0/8 of VLAN5
%May 10 21:16:05:668 2000 Quidway ARP/5/DUPIP:- 1 -IP address 92.168.10.188 collision detected, sourced by 0014-2264-c948 on Ethernet1/0/8 of VLAN5 and 0011-2550-10b2 on Ethernet1/0/8 of VLAN5
#May 10 21:16:14:446 2000 Quidway ARP/5/DUPIP:- 1 -IP address 92.168.10.189 collision detected, sourced by 0011-2550-10b2 on Ethernet1/0/8 of VLAN5 and 0011-2570-70ed on Ethernet1/0/4 of VLAN5
%May 10 21:16:14:449 2000 Quidway ARP/5/DUPIP:- 1 -IP address 92.168.10.189 collision detected, sourced by 0011-2550-10b2 on Ethernet1/0/8 of VLAN5 and 0011-2570-70ed on Ethernet1/0/4 of VLAN5
#May 10 21:16:23:968 2000 Quidway ARP/5/DUPIP:- 1 -IP address 92.168.10.189 collision detected, sourced by 0011-2570-70ed on Ethernet1/0/8 of VLAN5 and 0011-2550-10b2 on Ethernet1/0/8 of VLAN5
%May 10 21:16:23:971 2000 Quidway ARP/5/DUPIP:- 1 -IP address 92.168.10.189 collision detected, sourced by 0011-2570-70ed on Ethernet1/0/8 of VLAN5 and 0011-2550-10b2 on Ethernet1/0/8 of VLAN5
#May 10 21:16:32:743 2000 Quidway ARP/5/DUPIP:- 1 -IP address 92.168.10.190 collision detected, sourced by 0011-2550-10b2 on Ethernet1/0/8 of VLAN5 and 0010-c6a8-7c76 on Ethernet1/0/4 of VLAN5
%May 10 21:16:32:745 2000 Quidway ARP/5/DUPIP:- 1 -IP address 92.168.10.190 collision detected, sourced by 0011-2550-10b2 on Ethernet1/0/8 of VLAN5 and 0010-c6a8-7c76 on Ethernet1/0/4 of VLAN5
#May 10 21:16:42:258 2000 Quidway ARP/5/DUPIP:- 1 -IP address 92.168.10.190 collision detected, sourced by 0010-c6a8-7c76 on Ethernet1/0/8 of VLAN5 and 0011-2550-10b2 on Ethernet1/0/8 of VLAN5
%May 10 21:16:42:261 2000 Quidway ARP/5/DUPIP:- 1 -IP address 92.168.10.190 collision detected, sourced by 0010-c6a8-7c76 on Ethernet1/0/8 of VLAN5 and 0011-2550-10b2 on Ethernet1/0/8 of VLAN5
#May 10 21:16:51:39 2000 Quidway ARP/5/DUPIP:- 1 -IP address 92.168.10.191 collision detected, sourced by 0011-2550-10b2 on Ethernet1/0/8 of VLAN5 and 0017-a44f-a6d1 on Ethernet1/0/8 of VLAN5
%May 10 21:16:51:42 2000 Quidway ARP/5/DUPIP:- 1 -IP address 92.168.10.191 collision detected, sourced by 0011-2550-10b2 on Ethernet1/0/8 of VLAN5 and 0017-a44f-a6d1 on Ethernet1/0/8 of VLAN5
#May 10 21:17:00:556 2000 Quidway ARP/5/DUPIP:- 1 -IP address 92.168.10.191 collision detected, sourced by 0017-a44f-a6d1 on Ethernet1/0/8 of VLAN5 and 0011-2550-10b2 on Ethernet1/0/8 of VLAN5
%May 10 21:17:00:558 2000 Quidway ARP/5/DUPIP:- 1 -IP address 92.168.10.191 collision detected, sourced by 0017-a44f-a6d1 on Ethernet1/0/8 of VLAN5 and 0011-2550-10b2 on Ethernet1/0/8 of VLAN5
#May 10 21:17:09:382 2000 Quidway ARP/5/DUPIP:- 1 -IP address 92.168.10.192 collision detected, sourced by 0011-2550-10b2 on Ethernet1/0/8 of VLAN5 and 0017-a4f9-1dfb on Ethernet1/0/8 of VLAN5
%May 10 21:17:09:385 2000 Quidway ARP/5/DUPIP:- 1 -IP address 92.168.10.192 collision detected, sourced by 0011-2550-10b2 on Ethernet1/0/8 of VLAN5 and 0017-a4f9-1dfb on Ethernet1/0/8 of VLAN5
#May 10 21:17:18:903 2000 Quidway ARP/5/DUPIP:- 1 -IP address 92.168.10.192 collision detected, sourced by 0017-a4f9-1dfb on Ethernet1/0/8 of VLAN5 and 0011-2550-10b2 on Ethernet1/0/8 of VLAN5
%May 10 21:17:18:905 2000 Quidway ARP/5/DUPIP:- 1 -IP address 92.168.10.192 collision detected, sourced by 0017-a4f9-1dfb on Ethernet1/0/8 of VLAN5 and 0011-2550-10b2 on Ethernet1/0/8 of VLAN5

3、分析交换机给出的信息,做统计分析,列出高概率出现的MAC,上DHCP服务器上查,查到对应机器,断开网线,继续检查,直至全部清除;上面信息中“0011-2550-10b2”出现概率最高,先检查之,确实是一台中毒机器,杀毒后ARP干扰消失;
4、若使用抓包,也可以套用上面分析的特点;
5、综合使用各种手段,力争在最短的时间将ARP控制在最小的范围之内;
6、上面文字仅作抛砖,希望能引出玉来,谢谢。
发表于 2007-4-13 18:31:34 | 显示全部楼层
焦化厂ARP攻击的解决,用的基本上就是这个方法,不过命令不一样
我记得使用的是disp logbuffer察看核心交换机日志缓冲区信息和disp arp命令察看否有多个IP对应同一个MAC地址
您需要登录后才可以回帖 登录 | 注册

本版积分规则

小黑屋|手机版|Archiver|boway Inc. ( 冀ICP备10011147号 )

GMT+8, 2024-11-24 01:34 , Processed in 0.836198 second(s), 17 queries .

Powered by Discuz! X3.4

Copyright © 2001-2021, Tencent Cloud.

快速回复 返回顶部 返回列表