|
|
一个典型的SYN FLOOD的攻击问题处理记录
1.接到用户故障电话,反映问题互联网上不了,防火墙CPU利用率达到99%
2.登陆到防火墙,发现反映很慢,让用户拔开外网端口,CPU利用率马上降到0%,怀疑外网有人攻击。
3.用show inter outside
SDDL-FW01(config)# sh inter outside
Interface Ethernet0 "outside", is up, line protocol is up
Hardware is i82559, BW 100 Mbps
Full-Duplex(Full-duplex), 100 Mbps(100 Mbps)
MAC address 0015.63ff.6528, MTU 1500
IP address 219.144.16.138, subnet mask 255.255.255.224
809273569 packets input, 51885238175 bytes, 0 no buffer
Received 13220 broadcasts, 0 runts, 0 giants
534788 input errors, 0 CRC, 0 frame, 534788 overrun, 0 ignored, 0 abort
0 L2 decode drops
20126379 packets output, 2972985791 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 babbles, 0 late collisions, 0 deferred
0 lost carrier, 0 no carrier
input queue (curr/max blocks): hardware (128/128) software (0/205)
output queue (curr/max blocks): hardware (0/128) software (0/119)
Traffic Statistics for "outside":
808912961 packets input, 40552555717 bytes
20126379 packets output, 2653239852 bytes
790969841 packets dropped
1 minute input rate 6661 pkts/sec, 249879 bytes/sec
1 minute output rate 105 pkts/sec, 68177 bytes/sec
1 minute drop rate, 207 pkts/sec
5 minute input rate 5593 pkts/sec, 201899 bytes/sec
5 minute output rate 141 pkts/sec, 37577 bytes/sec
5 minute drop rate, 530 pkts/sec
发现比较正常,流量不大;
4.用show xlate发现也是正常的。
5.用show conn发现很多连接连接到外网服务器的8888端口,询问用户,说是一个聊天室服务;怀疑是Dos攻击
6.将该端口的static和相应的access-list删除,发现防火墙工作正常,但是CPU利用率仍然维持在80%以上;
7.再次使用show inter outside
SDDL-FW01(config)# sh inter outside
Interface Ethernet0 "outside", is up, line protocol is up
Hardware is i82559, BW 100 Mbps
Full-Duplex(Full-duplex), 100 Mbps(100 Mbps)
MAC address 0015.63ff.6528, MTU 1500
IP address 219.144.16.138, subnet mask 255.255.255.224
809273569 packets input, 51885238175 bytes, 0 no buffer
Received 13220 broadcasts, 0 runts, 0 giants
534788 input errors, 0 CRC, 0 frame, 534788 overrun, 0 ignored, 0 abort
0 L2 decode drops
20126379 packets output, 2972985791 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 babbles, 0 late collisions, 0 deferred
0 lost carrier, 0 no carrier
input queue (curr/max blocks): hardware (128/128) software (0/205)
output queue (curr/max blocks): hardware (0/128) software (0/119)
Traffic Statistics for "outside":
808912961 packets input, 40552555717 bytes
20126379 packets output, 2653239852 bytes
790969841 packets dropped
1 minute input rate 16661 pkts/sec, 849879 bytes/sec
1 minute output rate 105 pkts/sec, 68177 bytes/sec
1 minute drop rate, 16565 pkts/sec
5 minute input rate 15593 pkts/sec, 901899 bytes/sec
5 minute output rate 141 pkts/sec, 37577 bytes/sec
5 minute drop rate, 15430 pkts/sec
这说明目前大部分的攻击流量均被外网口扔掉了,但黑客的攻击行为依旧没有停止。
8.用show logg查看是否攻击行为被阻止了
1: Inbound001: Inbound TCP connection denied from 176.111.15.34/62559 to 219.144.16.137/8888 flags SYN on interface outside
%PIX-2-106001: Inbound TCP connection denied from 24.87.106.108/48221 to 219.144.16.137/8888 flags SYN on interface outside
%PIX-2-106001: Inbound TCP connection denied from 136.28.212.113/49998 to 219.144.16.137/8888 flags SYN on interface outside
%PIX-2-106001: Inbound TCP connection denied from 134.54.178.45/24599 to 219.144.16.137/8888 flags SYN on interface outside
%PIX-2-106001: Inbound TCP connection denied from 154.117.111.101/53546 to 219.144.16.137/8888 flags SYN on interface outside
%PIX-2-106001: Inbound TCP connection denied from 154.23.183.34/26976 to 219.144.16.137/8888 flags SYN on interface outside
%PIX-2-106001: Inbound TCP connection denied from 45.120.76.16/30793 to 219.144.16.137/8888 flags SYN on interface outside
%PIX-2-106001: Inbound TCP connection denied from 143.64.248.44/30263 to 219.144.16.137/8888 flags SYN on interface outside
%PIX-2-106001: Inbound TCP connection denied from 192.45.93.20/34351 to 219.144.16.137/8888 flags SYN on interface outside
%PIX-2-106001: Inbound TCP connection denied from 189.59.211.78/7692 to 219.144.16.137/8888 flags SYN on interface outside
%PIX-2-106001: Inbound TCP connection denied from 195.11.51.77/24073 to 219.144.16.137/8888 flags SYN on interface outside
%PIX-2-106001: Inbound TCP connection denied from 75.0.117.20/9853 to 219.144.16.137/8888 flags SYN on interface outside
%19.144.16.137/8888 flags SYN on interface outside
%PIX-2-106001: Inbound TCP connection denied from 147.115.175.100/4123 to 219.144.16.137/8888 flags SYN on interface outside
%PIX-2-106001: Inbound TCP connection denied from 209.82.194.27/20301 to 219.144.16.137/8888 flags SYN on interface outside
%PIX-2-106001: Inbound TCP connection denied from 92.43.120.11/1807 to 219.144.16.137/8888 flags SYN on interface outside
%PIX-2-106001: Inbound TCP connection denied from 97.100.255.82/36916 to 219.144.16.137/ interface outside
%PIX-2-106001: Inbound TCP connection denied from 215.13.90.9/25965 to 219.144.16.137/8888 flags SYN on interface outside
%PIX-2-106001: Inbound TCP connection denied from 165.25.212.67/5938 to 219.144.16.137/8888 flags SYN on interface outside
%PIX-2-106001: Inbound TCP connection denied from 64.50.177.73/5193 to 219.144.16.137/8888 flags SYN on interface outside
%PIX-2-106001: Inbound TCP connection denied from 12.48.55.100/59675 to 219.144.16.137/8888 flags SYN on interface outside
%PIX-2-106001: Inbound TCP connection denied from 126.126.253.38/15484 to 219.144.16.137/8888 flags SYN on interface outside
%PIX-2-106001: Inbound TCP connection denied from 208.12.248.127/54120 to 219.144.16.137/8888 flags SYN on interface outside
%PIX-2-106001: Inbound TCP connection denied from 91.32.29.117/21053 to 219.144.16.137/8888 flags SYN on interface outside
%PIX-2-106001: Inbound TCP connection denied from 104.86.87.99/56631 to 219.144.16.137/8888 flags SYN on interface outside
%PIX-2-106001: Inbound TCP connection denied from 73.0.197.98/38009 to 219.144.16.137/8888 flags SYN on interface outside
%PIX-2-106001: Inbound TCP connection denied from 140.12.129.59/9580 to 219.144.16.137/8888 flags SYN on interface outside
发起的是syn flood攻击,目前该攻击行为已经被阻挡在防火墙外面了,但攻击行为没有停止,因此防火墙的CPU利用率还是处于较高水平,但并不影响业务的正常运行。 |
|
IP卡
狗仔卡
发表于 2008-6-9 15:57:51
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡