博威---云架构决胜云计算

 找回密码
 注册

QQ登录

只需一步,快速开始

搜索
查看: 1870|回复: 1

一个典型的SYN FLOOD的攻击问题处理记录

[复制链接]
发表于 2008-6-9 15:57:51 | 显示全部楼层 |阅读模式
一个典型的SYN FLOOD的攻击问题处理记录


1.接到用户故障电话,反映问题互联网上不了,防火墙CPU利用率达到99%
2.登陆到防火墙,发现反映很慢,让用户拔开外网端口,CPU利用率马上降到0%,怀疑外网有人攻击。
3.用show inter outside
SDDL-FW01(config)# sh inter outside
Interface Ethernet0 "outside", is up, line protocol is up
  Hardware is i82559, BW 100 Mbps
        Full-Duplex(Full-duplex), 100 Mbps(100 Mbps)
        MAC address 0015.63ff.6528, MTU 1500
        IP address 219.144.16.138, subnet mask 255.255.255.224
        809273569 packets input, 51885238175 bytes, 0 no buffer
        Received 13220 broadcasts, 0 runts, 0 giants
        534788 input errors, 0 CRC, 0 frame, 534788 overrun, 0 ignored, 0 abort
        0 L2 decode drops
        20126379 packets output, 2972985791 bytes, 0 underruns
        0 output errors, 0 collisions, 0 interface resets
        0 babbles, 0 late collisions, 0 deferred
        0 lost carrier, 0 no carrier
        input queue (curr/max blocks): hardware (128/128) software (0/205)
        output queue (curr/max blocks): hardware (0/128) software (0/119)
  Traffic Statistics for "outside":
        808912961 packets input, 40552555717 bytes
        20126379 packets output, 2653239852 bytes
        790969841 packets dropped
      1 minute input rate 6661 pkts/sec,  249879 bytes/sec
      1 minute output rate 105 pkts/sec,  68177 bytes/sec
      1 minute drop rate, 207 pkts/sec
      5 minute input rate 5593 pkts/sec,  201899 bytes/sec
      5 minute output rate 141 pkts/sec,  37577 bytes/sec
      5 minute drop rate, 530 pkts/sec
发现比较正常,流量不大;
4.用show xlate发现也是正常的。
5.用show conn发现很多连接连接到外网服务器的8888端口,询问用户,说是一个聊天室服务;怀疑是Dos攻击
6.将该端口的static和相应的access-list删除,发现防火墙工作正常,但是CPU利用率仍然维持在80%以上;
7.再次使用show inter outside
SDDL-FW01(config)# sh inter outside
Interface Ethernet0 "outside", is up, line protocol is up
  Hardware is i82559, BW 100 Mbps
        Full-Duplex(Full-duplex), 100 Mbps(100 Mbps)
        MAC address 0015.63ff.6528, MTU 1500
        IP address 219.144.16.138, subnet mask 255.255.255.224
        809273569 packets input, 51885238175 bytes, 0 no buffer
        Received 13220 broadcasts, 0 runts, 0 giants
        534788 input errors, 0 CRC, 0 frame, 534788 overrun, 0 ignored, 0 abort
        0 L2 decode drops
        20126379 packets output, 2972985791 bytes, 0 underruns
        0 output errors, 0 collisions, 0 interface resets
        0 babbles, 0 late collisions, 0 deferred
        0 lost carrier, 0 no carrier
        input queue (curr/max blocks): hardware (128/128) software (0/205)
        output queue (curr/max blocks): hardware (0/128) software (0/119)
  Traffic Statistics for "outside":
        808912961 packets input, 40552555717 bytes
        20126379 packets output, 2653239852 bytes
        790969841 packets dropped
      1 minute input rate 16661 pkts/sec,  849879 bytes/sec
      1 minute output rate 105 pkts/sec,  68177 bytes/sec
      1 minute drop rate, 16565 pkts/sec
      5 minute input rate 15593 pkts/sec,  901899 bytes/sec
      5 minute output rate 141 pkts/sec,  37577 bytes/sec
      5 minute drop rate, 15430 pkts/sec
这说明目前大部分的攻击流量均被外网口扔掉了,但黑客的攻击行为依旧没有停止。
8.用show logg查看是否攻击行为被阻止了
1: Inbound001: Inbound TCP connection denied from 176.111.15.34/62559 to 219.144.16.137/8888 flags SYN  on interface outside
%PIX-2-106001: Inbound TCP connection denied from 24.87.106.108/48221 to 219.144.16.137/8888 flags SYN  on interface outside
%PIX-2-106001: Inbound TCP connection denied from 136.28.212.113/49998 to 219.144.16.137/8888 flags SYN  on interface outside
%PIX-2-106001: Inbound TCP connection denied from 134.54.178.45/24599 to 219.144.16.137/8888 flags SYN  on interface outside
%PIX-2-106001: Inbound TCP connection denied from 154.117.111.101/53546 to 219.144.16.137/8888 flags SYN  on interface outside
%PIX-2-106001: Inbound TCP connection denied from 154.23.183.34/26976 to 219.144.16.137/8888 flags SYN  on interface outside
%PIX-2-106001: Inbound TCP connection denied from 45.120.76.16/30793 to 219.144.16.137/8888 flags SYN  on interface outside
%PIX-2-106001: Inbound TCP connection denied from 143.64.248.44/30263 to 219.144.16.137/8888 flags SYN  on interface outside
%PIX-2-106001: Inbound TCP connection denied from 192.45.93.20/34351 to 219.144.16.137/8888 flags SYN  on interface outside
%PIX-2-106001: Inbound TCP connection denied from 189.59.211.78/7692 to 219.144.16.137/8888 flags SYN  on interface outside
%PIX-2-106001: Inbound TCP connection denied from 195.11.51.77/24073 to 219.144.16.137/8888 flags SYN  on interface outside
%PIX-2-106001: Inbound TCP connection denied from 75.0.117.20/9853 to 219.144.16.137/8888 flags SYN  on interface outside
%19.144.16.137/8888 flags SYN  on interface outside
%PIX-2-106001: Inbound TCP connection denied from 147.115.175.100/4123 to 219.144.16.137/8888 flags SYN  on interface outside
%PIX-2-106001: Inbound TCP connection denied from 209.82.194.27/20301 to 219.144.16.137/8888 flags SYN  on interface outside
%PIX-2-106001: Inbound TCP connection denied from 92.43.120.11/1807 to 219.144.16.137/8888 flags SYN  on interface outside
%PIX-2-106001: Inbound TCP connection denied from 97.100.255.82/36916 to 219.144.16.137/ interface outside
%PIX-2-106001: Inbound TCP connection denied from 215.13.90.9/25965 to 219.144.16.137/8888 flags SYN  on interface outside
%PIX-2-106001: Inbound TCP connection denied from 165.25.212.67/5938 to 219.144.16.137/8888 flags SYN  on interface outside
%PIX-2-106001: Inbound TCP connection denied from 64.50.177.73/5193 to 219.144.16.137/8888 flags SYN  on interface outside
%PIX-2-106001: Inbound TCP connection denied from 12.48.55.100/59675 to 219.144.16.137/8888 flags SYN  on interface outside
%PIX-2-106001: Inbound TCP connection denied from 126.126.253.38/15484 to 219.144.16.137/8888 flags SYN  on interface outside
%PIX-2-106001: Inbound TCP connection denied from 208.12.248.127/54120 to 219.144.16.137/8888 flags SYN  on interface outside
%PIX-2-106001: Inbound TCP connection denied from 91.32.29.117/21053 to 219.144.16.137/8888 flags SYN  on interface outside
%PIX-2-106001: Inbound TCP connection denied from 104.86.87.99/56631 to 219.144.16.137/8888 flags SYN  on interface outside
%PIX-2-106001: Inbound TCP connection denied from 73.0.197.98/38009 to 219.144.16.137/8888 flags SYN  on interface outside
%PIX-2-106001: Inbound TCP connection denied from 140.12.129.59/9580 to 219.144.16.137/8888 flags SYN  on interface outside
发起的是syn flood攻击,目前该攻击行为已经被阻挡在防火墙外面了,但攻击行为没有停止,因此防火墙的CPU利用率还是处于较高水平,但并不影响业务的正常运行。
您需要登录后才可以回帖 登录 | 注册

本版积分规则

小黑屋|手机版|Archiver|boway Inc. ( 冀ICP备10011147号 )

GMT+8, 2024-11-24 09:04 , Processed in 0.080953 second(s), 16 queries .

Powered by Discuz! X3.4

Copyright © 2001-2021, Tencent Cloud.

快速回复 返回顶部 返回列表