1、華為9306交換機(jī)ICMP包攻擊導(dǎo)致直連丟包但業(yè)務(wù)不受影響故障處理故報告故障現(xiàn)象描述與說明故障現(xiàn)象:Ping華為9306交換機(jī)的任何直連地址會丟包，經(jīng)過交換機(jī)的業(yè)務(wù)數(shù)據(jù)不受影響。現(xiàn)狀、拓?fù)渑c配置1WWW以后拆¥1&SMI3C.HJT E'J »| k rp -rt Bjt呻母1慨.HS - l Ti 址 i - <>|疑 11 e4 M 理I ! .Mrthu . !i LI 抽 di灌BDCN網(wǎng)絡(luò)拓?fù)渚W(wǎng)絡(luò)情況:華為9303交換機(jī)華為9306交換機(jī)u? jajhi Mliki ICS FRth is? Bnin 'Hm e申ID 1E1

2、Mil 虹WiNEWS一ii *FhAK AIfa 1A1 -4 Tl- M lljl TfBftH r>臺山*M4W1llrilfa 1Wih»4»LnM>tuiii 4 nUMPwliUiI U in 14MR qff ti> IP "t Hill iPIM故障現(xiàn)象及處理步驟一：1、在交換機(jī) 9306-B上通過命令 display logbuffer 查看Apr 23 2012 14:25:16 JM-SN5L-DCN-9306-2 %01QOSE/4/CPCAR_DROP_LPU(l): Some packets aredropped by

3、 cpcar on the LPU in slot 1. (Protocol=icmp, Drop-Count=0529546)Apr 23 2012 14:25:16 JM-SN5L-DCN-9306-2 %01QOSE/4/CPCAR_DROP_MPU(l): Some packets aredropped by cpcar on the MPU. (Protocol=icmp, Drop-Count=049663)Apr 23 2012 14:15:16 JM-SN5L-DCN-9306-2 %01QOSE/4/CPCAR_DROP_LPU(l): Some packets aredro

4、pped by cpcar on the LPU in slot 1. (Protocol=icmp, Drop-Count=0489843)Apr 23 2012 14:15:16 JM-SN5L-DCN-9306-2 %01QOSE/4/CPCAR_DROP_MPU(l): Some packets aredropped by cpcar on the MPU. (Protocol=icmp, Drop-Count=049826)Apr 23 2012 14:09:39 JM-SN5L-DCN-9306-2 %01HWCM/4/EXIT(l): Exit from configure mo

5、de.Apr 23 2012 14:05:16 JM-SN5L-DCN-9306-2 %01QOSE/4/CPCAR_DROP_LPU(l): Some packets aredropped by cpcar on the LPU in slot 1. (Protocol=icmp, Drop-Count=0483657)大量的icmp包到達(dá)設(shè)備后由主引擎和slot1的CPCAR進(jìn)行丟棄。2、在交換機(jī) 9306-B 上通過命令 display cpu-defend statistics all 查看CPCAR on mainboardPacket TypePass(Bytes)Drop(Byt

6、es)Pass(Packets)Drop(Packets)stp0000smart-link0000ldt0000lacp0000lldp0000dldp0000vrrp0000isis0000igmp0000pim0000rip0000ospf1406001320bgp88257011750mpls-rsvp0000mpls-ldp0000ttl-expired0000icmp118941948524911341828397807336eoam-3ah0000mpls-ping0000mpls-ttl-expired0000ntp0000ripng0000ospfv30000bgp4plus

7、0000pimv60000hotlimit0000vrrp60000mld1313001350icmpv60000telnet8007350125060ssh0000ftp0000snmp0000radius0000hw-tacacs0000tcp1405201980mpls-fib-hit0000fib-hit0000arp-miss1630202070unknown-packet0000hopbyhop0000pppoe0000bpdu-tunnel0000rrpp0000udp-helper0000CPCAR on slot 1Packet TypePass(Bytes)Drop(Byt

8、es)Pass(Packets)Drop(Packets)arp-request1196801760arp-reply44200660stp0000smart-link0000ldt0000lacp0000lldp0000dldp0000vrrp0000mpls-oam0000isis0000dhcp-client0000dhcp-server0000igmp0000pim0000rip0000ospf21229620229630bgp91561011750bfd0000mpls-rsvp0000mpls-ldp0000ttl-expired143622014530icmp1807881466

9、2206819626265699079349eoam-3ah0000eoam-1ag0000mpls-ping0000mpls-ttl-expired0000ntp00008021x0000http0000ripng0000ospfv30000bgp4plus0000pimv60000hotlimit0000vrrp60000dhcpv6-request0000dhcpv6-reply0000mld1367001350icmpv60000hvrp0000telnet853955136125532ssh0000ftp0000snmp0000radius0000hw-tacacs0000tcp13

10、39201800mpls-fib-hit0000fib-hit90000900arp-miss1703402070unknown-packet0000unknown-multicast1371734801666540hopbyhop0000pppoe0000bpdu-tunnel0000從上述很容易看出：大量的 ICMP經(jīng)交換機(jī)處理不過來從而丟棄。步驟二：在交換機(jī)9306上開啟ICMP的debug信息找出具體的攻擊源。/24 、 /24通過在交換機(jī)上執(zhí)行 debugging ip icmp ,發(fā)現(xiàn)從鶴山上來的主要有/

11、24三個網(wǎng)段的源進(jìn)行大量的icmp包。于是建議客戶要求鶴山本地關(guān)注這些網(wǎng)段的終端進(jìn)行病毒掃描處理。步驟三：業(yè)務(wù)恢復(fù)（在交換機(jī)上針對上述的三個網(wǎng)段的ICMP包進(jìn)行黑名單處理）acl number 3100rule 5 permit icmp source 55rule 10 permit icmp source 55rule 15 permit icmp source 55cpu-defend policy 1blacklist 1 acl 3100slot 1cpu-defend-policy 1處理后，icmp處理恢復(fù)正常，直連 ping也不再丟包。并且觀察了一天后，