PDF《SCE 网络攻击问题及解决方法》

1.

2. 3. SCE 网络攻击问题及解决方法 目录 软硬件平台 问题描述 故障诊断步骤 经验总结 解决办法 软硬件平台 硬件平台: SCE1000 SCE2020 SCE8000 软件版本: 所有 问题描述 在客户使用SCE产品进行流量控制的时候,发现流量只是通过SCE设备,并没有被SCE事先定义好 的策略所控制,即流量失控,bypass流量现象. 症状: 第三方监控软件发现流量突然增大. 通过SCE报表,看到流量波形图变型. 客户端本来不可以访问的网站,变得可以访问. 故障诊断步骤 首先检查support file 里面的dbglog.txt文件,解压support file之后就可以看到. 或者在SCE上面执行#show logging. 下面给大家举个例子: 我们可以看到从2点14分开始,SCE检测到网络攻击,为了保护自己,它开始bypass网络攻击流量 : 2011-01-20 02:14:47 | INFO | CPU #000 | Started filtering packets of type 'UDP Fragments' received on interface #

1 (network). module # 1. Reason: Started filtering due to attack detection 2011-01-20 02:29:46 | INFO | CPU #000 | Started filtering packets of type 'UDP Fragments' received on interface #

0 (subscriber). module # 1. Reason: Started filtering due to attack detection 在持续一个小时左右后,SCE又恢复了正常,并且我们看到"no shortage events" 的信息. 说明这次bypass流量不是由于流量达到了SCE性能的极限而引起的. 2011-01-20 03:17:36 | INFO | CPU #000 | Stopped filtering packets of type 'UDP Fragments' received on interface #

0 (subscriber). module # 1. Reason: Back to normal, no shortage events 2011-01-20 03:17:36 | INFO | CPU #000 | Stopped filtering q q packets of type 'UDP Fragments' received on interface #

1 (network). module # 1. Reason: Back to normal, no shortage Events 在4点30分的时候,SCE再次检测到网络攻击,bypass流量再次开始了: 2011-01-20 04:31:40 | INFO | CPU #000 | Started filtering packets of type 'UDP' received on interface #

0 (subscriber). module # 1. Reason: Started filtering due to attack detection 2011-01-20 04:31:40 | INFO | CPU #000 | Started filtering packets of type 'TCP Non-SYN' received on interface #

0 (subscriber). module # 1. Reason: Started filtering due to attack detection 在持续一个小时左右,SCE又恢复了正常, 2011-01-20 05:34:31 | INFO | CPU #000 | Stopped filtering packets of type 'UDP' received on interface #

0 (subscriber). module # 1. Reason: Back to normal, no shortage events 2011-01-20 05:34:31 | INFO | CPU #000 | Stopped filtering packets of type 'TCP Non- SYN' received on interface #

0 (subscriber). module # 1. Reason: Back to normal, no shortage 经验总结: SCE platform有一种算法叫做Sanity check,它是SCE的内部算法,在网络攻击发生的时候用来自 我保护,当该算法检测到有可能威胁SCE正常工作的流量的时候,该算法就会被启动来过滤流量. SCE platform还跟踪每个flow的可用资源,如果可用资源利用率达到90%,SCE platform就会检测 是否有网络攻击发生,一旦流量被识别为网络攻击,就会开始过滤流量. 过滤流量的缺省时间为一个小时,经过一个小时之后,如果没有检测到网络攻击,过滤流量结束 ,SCE工作恢复正常,如果仍然能够检测到网络攻击,将继续下一个小时的流量过滤. 解决办法: SCE不是网络安全设备,我们应该将SCE放置在一个相对安全的网络环境中. 强烈建议将anomaly detaction功能开启,但是请注意,即便开启该功能,仍需将SCE放在相对安 全的网络环境中.