Network 华为路由器ARP攻击解决办法 发表于 2022-01-20 浏览量 1241 没有评论 # 私网存在ARP攻击导致用户上网时断时续 - 执行命令`display logbuffer`检查设备运行日志,看是否有ARP协议报文因CPU阀值的限制被丢弃。 ``` <Huawei> display logbuffer Sep 9 2014 16:01:55+00:00 Huawei %%01SECE/4/PORT_ATTACK(l)[0]:Port attack occurred.(Slot=MPU, SourceAttackInterface=GigabitEthernet0/0/0, OuterVlan/InnerVlan=0/0, AttackPackets=64 packets per second) Sep 9 2014 16:01:54+00:00 Huawei %%01DEFD/4/CPCAR_DROP_MPU(l)[1]:Some packets are dropped by cpcar on the MPU. (Packet-type=arp-miss, Drop-Count=770) Sep 9 2014 16:01:54+00:00 Huawei %%01DEFD/4/CPCAR_DROP_MPU(l)[2]:Some packets are dropped by cpcar on the MPU. (Packet-type=arp-request, Drop-Count=3458) ``` - 如果日志中有ARP报文被丢弃,则怀疑设备连接的私网中存在ARP攻击。此时,可以在设备上配置攻击溯源功能,进一步排查。 ``` <Huawei> system-view [Huawei] cpu-defend policy 1 [Huawei-cpu-defend-policy-1] auto-defend enable [Huawei-cpu-defend-policy-1] auto-defend threshold 40 //可适当调整建议不要太小 [Huawei-cpu-defend-policy-1] auto-defend attack-packet sample 5 [Huawei-cpu-defend-policy-1] auto-defend protocol all [Huawei-cpu-defend-policy-1] auto-defend trace-type source-ip source-mac source-portvlan [Huawei-cpu-defend-policy-1] auto-defend alarm enable [Huawei-cpu-defend-policy-1] quit [Huawei] cpu-defend-policy 1 [Huawei] cpu-defend-policy 1 global ``` - 配置完攻击溯源后,当网络出现异常时,在设备上执行命令`display auto-defend attack-source`进一步确认是否存在ARP攻击。 ``` [Huawei] display auto-defend attack-source Attack Source User Table: ------------------------------------------------------------------------- MacAddress InterfaceName Vlan:Outer/Inner TOTAL ------------------------------------------------------------------------- xxxx-xxxx-xxxx GigabitEthernet0/0/1 0 368 yyyy-yyyy-yyyy GigabitEthernet0/0/0 0 7152 ------------------------------------------------------------------------- Total: 2 Attack Source Port Table: ----------------------------------------------------- InterfaceName Vlan:Outer/Inner TOTAL ----------------------------------------------------- GigabitEthernet0/0/1 0 368 GigabitEthernet0/0/0 0 23472 ----------------------------------------------------- Total: 2 Attack Source IP Table: ------------------------------------- IPAddress TOTAL Packets ------------------------------------- x.x.x.x 368 y.y.y.y 7152 ------------------------------------- Total: 2 ``` - 如上所示,私网中源IP地址为y.y.y.y,源MAC为yyyy-yyyy-yyyy的用户发送了大量的攻击报文(本例中GE0/0/1为公网接口,报文数量增长不大,可以忽略)。此时,根据被攻击端口GE0/0/0,逐层往下找到攻击源用户,使用杀毒软件杀毒,解决故障。 - 如果无法查到攻击源用户,可以在设备的私网接口GE0/0/0上配置ACL规则过滤掉二层ARP流量功能,拒绝源MAC地址为yyyy-yyyy-yyyy的报文通过私网接口,解决故障。 ``` [Huawei] acl number 4444 [Huawei-acl-L2-4444] rule 5 deny l2-protocol arp source-mac yyyy-yyyy-yyyy [Huawei] interface gigabitethernet 0/0/0 [Huawei-GigabitEthernet0/0/0] traffic-filter inbound acl 4444 [Huawei-GigabitEthernet0/0/0] quit [Huawei] quit ```
