故障排查 | 某节点接入交换机至终端网络丢包
交换机型号:
Access Switch (S2628G-I) By Ruijie Networks
Show log:
May 6 05:36:08: %ND_GUARD-4-PORT_ATTACKED: NS-NA DoS attack was detected on port Fa0/19.(2020-5-6 5:36:8)
*May 6 07:58:48: %ND_GUARD-4-PORT_ATTACKED: NS-NA DoS attack was detected on port Fa0/19.(2020-5-6 7:58:48)
*May 6 17:24:20: %ND_GUARD-4-PORT_ATTACKED: NS-NA DoS attack was detected on port Fa0/19.(2020-5-6 17:24:20)
*May 6 21:25:55: %ND_GUARD-4-PORT_ATTACKED: NS-NA DoS attack was detected on port Fa0/19.(2020-5-6 21:25:55)
*May 6 23:26:42: %ND_GUARD-4-PORT_ATTACKED: NS-NA DoS attack was detected on port Fa0/19.(2020-5-6 23:26:42)
查看f0/19
May 5 19:02:54: %NFPP_ARP_GUARD-4-SCAN: Host<IP=N/A,MAC=000b.abda.b5f2,port=Fa0/19,VLAN=108> was detected.(2020-5-5 18:17:46)
*May 5 19:03:24: %NFPP_ARP_GUARD-4-PORT_ATTACKED: ARP DoS attack was detected on port Fa0/19.(2020-5-5 18:17:48)
*May 5 19:03:54: %NFPP_ARP_GUARD-4-SCAN: Host<IP=172.21.1.249,MAC=0894.ef09.4b41,port=Fa0/19,VLAN=108> was detected.(2020-5-5 18:17:58)
*May 5 19:04:24: %NFPP_ARP_GUARD-4-DOS_DETECTED: Host<IP=172.21.1.249,MAC=N/A,port=Fa0/19,VLAN=108> was detected.(2020-5-5 18:17:59)
*May 5 19:04:54: %NFPP_ARP_GUARD-4-DOS_DETECTED: Host<IP=N/A,MAC=0894.ef09.4b41,port=Fa0/19,VLAN=108> was detected.(2020-5-5 18:17:59)
*May 5 19:05:24: %NFPP_ARP_GUARD-4-DOS_DETECTED: Host<IP=192.168.1.252,MAC=N/A,port=Fa0/19,VLAN=108> was detected.(2020-5-5 18:18:10)
*May 5 19:05:54: %NFPP_ARP_GUARD-4-SCAN: Host<IP=172.26.50.60,MAC=0894.ef91.ce38,port=Fa0/19,VLAN=108> was detected.(2020-5-5 18:18:25)
*May 5 19:06:24: %NFPP_ARP_GUARD-4-PORT_ATTACKED: ARP DoS attack was detected on port Fa0/19.(2020-5-5 18:18:48)
*May 5 19:06:54: %NFPP_ARP_GUARD-4-SCAN: Host<IP=172.21.1.249,MAC=0894.ef09.4b41,port=Fa0/19,VLAN=108> was detected.(2020-5-5 18:18:58)
*May 5 19:07:24: %NFPP_ARP_GUARD-4-DOS_DETECTED: Host<IP=172.21.1.249,MAC=N/A,port=Fa0/19,VLAN=108> was detected.(2020-5-5 18:18:59)
*May 5 19:07:54: %NFPP_ARP_GUARD-4-DOS_DETECTED: Host<IP=N/A,MAC=0894.ef09.4b41,port=Fa0/19,VLAN=108> was detected.(2020-5-5 18:18:59)
*May 5 19:08:24: %NFPP_ARP_GUARD-4-SCAN: Host<IP=172.26.50.60,MAC=0894.ef91.ce38,port=Fa0/19,VLAN=108> was detected.(2020-5-5 18:19:29)
*May 5 19:08:54: %NFPP_ARP_GUARD-4-PORT_ATTACKED: ARP DoS attack was detected on port Fa0/19.(2020-5-5 18:19:48)
疑问:
1个端口下怎么可能会有这么多mac地址?
查看时间是否同步:
时间不对,先设置下时间:
进入config模式,
配置ntp服务器地址:
ntp server ip
配置时区:
clock timezone beijing 8
连接用户的接口开启IP Source Guard功能
Ruijie(config)#interface range fastEthernet 0/1-24
Ruijie(config-if-range)#ip verify source port-security
开启源IP+MAC的报文检测,将DHCP Snooping形成的snooping表写入地址绑定数据库中,请正确配置ip verfiy soure port-security, 不要使用ip verify source(仅绑定IP),部分产品存在限制,只绑定IP的情况下可能出现异常。
Ruijie(config-if-range)#arp-check
开启该功能后,对于接口收到的ARP报文会检测ARP报文字段里面的Sender IP及Sender MAC,与地址绑定库中的IP及MAC进行匹配,如果匹配将放行,否则丢弃该ARP报文
查看IP地址绑定表
show ip dhcp snooping binding
开了这些之后发现攻击还是存在:
%NFPP_ICMP_GUARD-4-DOS_DETECTED: Host<IP=172.16.107.?,MAC=N/A,port=Fa0/1,VLAN=100> was detected.(2020-5-7 23:50:12)
查看交换机nfpp dhcpv6-gurad 功能是否打开:
show nfpp dhcpv6-guard summary
status是enable的,也就是说是开启的在接入端口上开启
nfpp dhcpv6-guard enable
配置nfpp
进入config模式
进入nfpp模式
(config-nfpp)#dhcpv6-guard rate-limit per-port 5
每个端口每秒超过5个dhcp包就丢弃
本文参与 腾讯云自媒体同步曝光计划,分享自微信公众号。
原始发表:2020-06-14,如有侵权请联系 cloudcommunity@tencent.com 删除
评论
登录后参与评论
推荐阅读
目录
腾讯云开发者
