The specified source IP address attack occurred.(Slot=LPU1, SourceAttackIP=80.82.78.27, AttackProtoc

原创

mbf3c507deo2c4cc 2023-06-16 16:21:00 博主文章分类：Network ©著作权

©著作权归作者所有：来自51CTO博客作者mbf3c507deo2c4cc的原创作品，请联系作者获取转载授权，否则将追究法律责任

February 11 2023 9:57:02 9303-1 %%01SECE/4/SPECIFY_SIP_ATTACK(l)[412]:The specified source IP address attack occurred.(Slot=LPU1, SourceAttackIP=80.82.78.27, AttackProtocol=TCP, AttackPackets=125 packets per second)
February 11 2023 9:57:02 9303-1 %%01SECE/4/SPECIFY_SIP_ATTACK(l)[413]:The specified source IP address attack occurred.(Slot=MPU, SourceAttackIP=80.82.78.27, AttackProtocol=TCP, AttackPackets=150 packets per second)

查询设备

华为交换机：S9300

为什么会注意这个问题

某天发现，设备cpu使用率突然高了，而且一直平着走。

基础排除：日常流量都没有啥问题。

查看日志：发现以上代码，有几个地址段是频繁的在非正常访问attached，而且是多个C的地址段在轮训IP进行非正常访问attached。

<9303-1>display auto-defend attack-source history 
 Attack History User Table (MPU):
  ------------------------------------------------------------------------------
  AttackTime            MacAddress     IFName         Vlan:O/I  Protocol    PPS
  ------------------------------------------------------------------------------
  Attack History IP Table (MPU):
  ----------------------------------------------------------------------------
  AttackTime            IPAddress                                 Protocol
  PPS
  ----------------------------------------------------------------------------
  S:2023-02-10 23:42:46 89.248.163.36                              TCP        
  95        
  E:2023-02-10 23:49:56
  S:2023-02-10 23:45:20 80.82.70.217                               TCP        
  165       
  E:2023-02-10 23:51:27
  S:2023-02-10 23:51:14 89.248.163.59                              TCP        
  165       
  E:2023-02-10 23:58:57
  S:2023-02-10 23:59:22 103.25.30.1                                ARP        
  150       
  E:2023-02-11 00:04:26
  S:2023-02-11 00:07:02 89.248.163.209                             TCP        
  110       
  E:2023-02-11 00:12:56
  S:2023-02-11 00:15:55 89.248.163.157                             TCP        
  175       
  E:2023-02-11 00:22:06
  S:2023-02-11 01:00:16 89.248.163.209                             TCP        
  65        
  E:2023-02-11 01:05:17
  S:2023-02-11 01:12:26 89.248.163.59                              TCP        
  145       
  E:2023-02-11 01:20:07
  S:2023-02-11 01:15:04 89.248.163.36                              TCP        
  85        
  E:2023-02-11 01:20:17
  S:2023-02-11 01:38:15 89.248.163.36                              TCP        
  120       
  E:2023-02-11 01:44:17
  S:2023-02-11 01:40:13 89.248.163.59                              TCP        
  125       
  E:2023-02-11 01:47:37
  S:2023-02-11 01:50:00 89.248.163.154                             TCP        
  150       
  E:2023-02-11 01:55:57
  S:2023-02-11 02:00:45 89.248.163.36                              TCP        
  90        
  E:2023-02-11 02:07:37
  S:2023-02-11 02:06:12 89.248.163.59                              TCP        
  140       
  E:2023-02-11 02:13:57
  S:2023-02-11 02:24:46 89.248.163.36                              TCP        
  85        
  E:2023-02-11 02:31:27
  S:2023-02-11 02:36:41 89.248.163.59                              TCP        
  110       
  E:2023-02-11 02:44:17
  S:2023-02-11 03:21:55 89.248.163.157                             TCP        
  165       
  E:2023-02-11 03:27:57
  S:2023-02-11 03:36:13 89.248.163.159                             TCP        
  90        
  E:2023-02-11 03:41:47
  S:2023-02-11 04:55:50 89.248.163.157                             TCP        
  120       
  E:2023-02-11 05:02:17
  S:2023-02-11 05:43:00 89.248.165.99                              TCP        
  260       
  E:2023-02-11 05:49:27
  S:2023-02-11 05:43:23 89.248.165.246                             TCP        
  225       
  E:2023-02-11 05:50:37
  S:2023-02-11 05:44:25 89.248.165.68                              TCP        
  280       
  E:2023-02-11 05:52:07
  S:2023-02-11 06:30:53 89.248.163.150                             TCP        
  140       
  E:2023-02-11 06:36:57
  S:2023-02-11 06:40:46 89.248.163.159                             TCP        
  85

过滤就打印ip列：利用linux
[root@localhost test]# cat test.txt | awk '{print $3}'
89.248.163.36
80.82.70.217
89.248.163.59
89.248.163.209
89.248.163.157
89.248.163.209
89.248.163.59
89.248.163.36
89.248.163.36
89.248.163.59
89.248.163.154
89.248.163.36
89.248.163.59
89.248.163.36
89.248.163.59
89.248.163.157
89.248.163.159
89.248.163.157
89.248.165.99
89.248.165.246
89.248.165.68
89.248.163.150
89.248.163.159
......
基于此了解到主要频繁attached的网段。

手工进行干预

从官网查询类似方法

•配置黑名单禁止指定用户的协议报文上送

在发现某协议CPCAR速率异常增大时，可以怀疑有用户的异常大流量上送，此时通过获取报文可以定位出大流量用户流量的特征，如果是固定源IP或固定源MAC等特征，则可以通过配置黑名单阻止异常流量的上送。

禁止指定源固定IP上送报文

配置拒绝acl

acl number 3400
 rule 10 permit ip source 89.248.163.0 0.0.0.255
 rule 11 permit ip source 89.248.165.0 0.0.0.255
 rule 12 permit ip source 92.63.196.0 0.0.0.255
 rule 13 permit ip source 94.102.51.0 0.0.0.255
 rule 14 permit ip source 80.82.70.0 0.0.0.255

配置cpu-defend policy，应用blacklist调用acl

cpu-defend policy 1
 blacklist 1 acl 3400

全局应用

cpu-defend-policy 1 global

过会观察

cpu使用率降低了。

找了一个类似的图，给展示一下，当时的图没有进行及时保存。

The specified source IP address attack occurred.(Slot=LPU1, SourceAttackIP=80.82.78.27, AttackProtoc_TCP

上一篇：centos-stream9安装zabbix6.4

下一篇：DBeaver连接客户端Public Key Retrieval is not allowed

提问和评论都可以，用心的回复会被更多人看到评论

发布评论

相关文章

官方博客	全部文章	热门标签	班级博客
了解我们	网站地图	意见反馈

鸿蒙开发者社区	51CTO学堂
51CTO	软考资讯