CPU过高之内网流量型攻击---如何找出这台内网PC

[ 1728 查看 / 9 回复 ]

返回列表
发新话题 回复该主题
rgrg绿色水果
头像

rgrg绿色水果

  • 超级版主
  • 1349
  • 4688
  • 2007-01-10
2010-05-14 10:56 |只看楼主 1#
t T
此例子是比较典型的内网PC全网中毒,中毒后的现象是一直往外网发包。导致内网口被堵满。• îTלC%support.ruijie.com.cn¡Þ„Ç°øÀ´
• îTלC%support.ruijie.com.cn¡Þ„Ç°øÀ´
故障现象:CPU 90%以上、PING内网网关丢包严重、面板上繁忙饱和正常空闲四个个灯全亮• îTלC%support.ruijie.com.cn¡Þ„Ç°øÀ´
通过配置线登录,收集信息。信息收集可以参考以下链接地址:• îTלC%support.ruijie.com.cn¡Þ„Ç°øÀ´
http://support.ruijie.com.cn/showtopic-19267.aspx• îTלC%support.ruijie.com.cn¡Þ„Ç°øÀ´
• îTלC%support.ruijie.com.cn¡Þ„Ç°øÀ´
如何通过收集的信息来查看是哪台PC上行流量过大导致路由器CPU高。一般只需要看三个地方,一个是内网口、一个是外网接口的发送流量,最后一个是每台PC的上行及下行的流量。• îTלC%support.ruijie.com.cn¡Þ„Ç°øÀ´
内网口的接收流量,也就是G0/0接口的input流量,是否与G0/1接口的output(发送流量)流量差别很大,如果差了5M以上,那么就需要进一步查看是哪台PC的上行流量偏高导致这两个数值差据了5M以上。• îTלC%support.ruijie.com.cn¡Þ„Ç°øÀ´
查看每台PC的上行及下行流量命令:sh ip f o all,总共有五列,• îTלC%support.ruijie.com.cn¡Þ„Ç°øÀ´
第一列为IP;• îTלC%support.ruijie.com.cn¡Þ„Ç°øÀ´
第二列为通过路由器限速后的上行流量;• îTלC%support.ruijie.com.cn¡Þ„Ç°øÀ´
第三列为通过路由器限速后的下行流量;• îTלC%support.ruijie.com.cn¡Þ„Ç°øÀ´
第四列为PC真实需要的上行流量;• îTלC%support.ruijie.com.cn¡Þ„Ç°øÀ´
第五列为PC真实需要的下行流量。• îTלC%support.ruijie.com.cn¡Þ„Ç°øÀ´
• îTלC%support.ruijie.com.cn¡Þ„Ç°øÀ´
可以看下以下收集的某客户信息,内网口G0/0接口input流量为86M左右,G0/1口的output流量只有17M,这个数据可能得知,咱内网有PC在进行上行流量攻击。• îTלC%support.ruijie.com.cn¡Þ„Ç°øÀ´
我们再找出是哪几台PC的上行流量过大导致的,通过sh ip f o all,发现第四列有非常多PC需要高上行带宽的。那么将这几台PC关闭掉后。网络正常。• îTלC%support.ruijie.com.cn¡Þ„Ç°øÀ´
• îTלC%support.ruijie.com.cn¡Þ„Ç°øÀ´
NBR2000#sh int• îTלC%support.ruijie.com.cn¡Þ„Ç°øÀ´
========================== FastEthernet 0/2 ========================• îTלC%support.ruijie.com.cn¡Þ„Ç°øÀ´
FastEthernet 0/2 is DOWN  , line protocol is DOWN• îTלC%support.ruijie.com.cn¡Þ„Ç°øÀ´
Hardware is PQ3 FCC FAST ETHERNET CONTROLLER FastEthernet, address is 001a.a941.• îTלC%support.ruijie.com.cn¡Þ„Ç°øÀ´
f512 (bia 001a.a941.f512)• îTלC%support.ruijie.com.cn¡Þ„Ç°øÀ´
Interface address is: no ip address• îTלC%support.ruijie.com.cn¡Þ„Ç°øÀ´
ARP type: ARPA,ARP Timeout: 3600 seconds• îTלC%support.ruijie.com.cn¡Þ„Ç°øÀ´
  MTU 1500 bytes, BW 100000 Kbit• îTלC%support.ruijie.com.cn¡Þ„Ç°øÀ´
  Encapsulation protocol is Ethernet-II, loopback not set• îTלC%support.ruijie.com.cn¡Þ„Ç°øÀ´
  Keepalive interval is 10 sec , set• îTלC%support.ruijie.com.cn¡Þ„Ç°øÀ´
  Carrier delay is 2 sec• îTלC%support.ruijie.com.cn¡Þ„Ç°øÀ´
  RXload is 1 ,Txload is 1• îTלC%support.ruijie.com.cn¡Þ„Ç°øÀ´
  Queueing strategy: FIFO• îTלC%support.ruijie.com.cn¡Þ„Ç°øÀ´
    Output queue 0/40, 0 drops;• îTלC%support.ruijie.com.cn¡Þ„Ç°øÀ´
    Input queue 0/75, 0 drops• îTלC%support.ruijie.com.cn¡Þ„Ç°øÀ´
  5 seconds input rate 0 bits/sec, 0 packets/sec• îTלC%support.ruijie.com.cn¡Þ„Ç°øÀ´
  5 seconds output rate 0 bits/sec, 0 packets/sec• îTלC%support.ruijie.com.cn¡Þ„Ç°øÀ´
    0 packets input, 0 bytes, 0 res lack, 0 no buffer,0 dropped• îTלC%support.ruijie.com.cn¡Þ„Ç°øÀ´
    Received 0 broadcasts, 0 runts, 0 giants• îTלC%support.ruijie.com.cn¡Þ„Ç°øÀ´
    0 input errors, 0 CRC, 0 frame, 0 overrun, 0 abort• îTלC%support.ruijie.com.cn¡Þ„Ç°øÀ´
    0 packets output, 0 bytes, 0 underruns,0 dropped• îTלC%support.ruijie.com.cn¡Þ„Ç°øÀ´
    0 output errors, 0 collisions, 0 interface resets• îTלC%support.ruijie.com.cn¡Þ„Ç°øÀ´
========================== Null 0 ========================• îTלC%support.ruijie.com.cn¡Þ„Ç°øÀ´
Null 0 is UP  , line protocol is UP• îTלC%support.ruijie.com.cn¡Þ„Ç°øÀ´
Hardware is  Null• îTלC%support.ruijie.com.cn¡Þ„Ç°øÀ´
Interface address is: no ip address• îTלC%support.ruijie.com.cn¡Þ„Ç°øÀ´
  MTU 1500 bytes, BW 8000000 Kbit• îTלC%support.ruijie.com.cn¡Þ„Ç°øÀ´
  Encapsulation protocol is NULL, loopback not set• îTלC%support.ruijie.com.cn¡Þ„Ç°øÀ´
  Keepalive interval is 0 sec , no set• îTלC%support.ruijie.com.cn¡Þ„Ç°øÀ´
  Carrier delay is 2 sec• îTלC%support.ruijie.com.cn¡Þ„Ç°øÀ´
  RXload is 1 ,Txload is 1• îTלC%support.ruijie.com.cn¡Þ„Ç°øÀ´
  Queueing strategy: FIFO• îTלC%support.ruijie.com.cn¡Þ„Ç°øÀ´
    Output queue 0/40, 0 drops;• îTלC%support.ruijie.com.cn¡Þ„Ç°øÀ´
    Input queue 0/75, 0 drops• îTלC%support.ruijie.com.cn¡Þ„Ç°øÀ´
  5 seconds input rate 0 bits/sec, 0 packets/sec• îTלC%support.ruijie.com.cn¡Þ„Ç°øÀ´
  5 seconds output rate 0 bits/sec, 0 packets/sec• îTלC%support.ruijie.com.cn¡Þ„Ç°øÀ´
    0 packets input, 0 bytes, 0 res lack, 0 no buffer,0 dropped• îTלC%support.ruijie.com.cn¡Þ„Ç°øÀ´
    Received 0 broadcasts, 0 runts, 0 giants• îTלC%support.ruijie.com.cn¡Þ„Ç°øÀ´
    0 input errors, 0 CRC, 0 frame, 0 overrun, 0 abort• îTלC%support.ruijie.com.cn¡Þ„Ç°øÀ´
    0 packets output, 0 bytes, 0 underruns,0 dropped• îTלC%support.ruijie.com.cn¡Þ„Ç°øÀ´
    0 output errors, 0 collisions, 0 interface resets• îTלC%support.ruijie.com.cn¡Þ„Ç°øÀ´
========================== GigabitEthernet 0/0 ========================• îTלC%support.ruijie.com.cn¡Þ„Ç°øÀ´
GigabitEthernet 0/0 is UP  , line protocol is UP• îTלC%support.ruijie.com.cn¡Þ„Ç°øÀ´
Hardware is PQ3 TSEC GIGABIT ETHERNET CONTR GigabitEthernet, address is 001a.a94• îTלC%support.ruijie.com.cn¡Þ„Ç°øÀ´
1.f510 (bia 001a.a941.f510)• îTלC%support.ruijie.com.cn¡Þ„Ç°øÀ´
Interface address is: 192.168.1.1/24• îTלC%support.ruijie.com.cn¡Þ„Ç°øÀ´
ARP type: ARPA,ARP Timeout: 3600 seconds• îTלC%support.ruijie.com.cn¡Þ„Ç°øÀ´
  MTU 1500 bytes, BW 50000 Kbit• îTלC%support.ruijie.com.cn¡Þ„Ç°øÀ´
  Encapsulation protocol is Ethernet-II, loopback not set• îTלC%support.ruijie.com.cn¡Þ„Ç°øÀ´
  Keepalive interval is 10 sec , set• îTלC%support.ruijie.com.cn¡Þ„Ç°øÀ´
  Carrier delay is 2 sec• îTלC%support.ruijie.com.cn¡Þ„Ç°øÀ´
  RXload is 261 ,Txload is 1• îTלC%support.ruijie.com.cn¡Þ„Ç°øÀ´
  Queueing strategy: FIFO• îTלC%support.ruijie.com.cn¡Þ„Ç°øÀ´
    Output queue 0/40, 0 drops;• îTלC%support.ruijie.com.cn¡Þ„Ç°øÀ´
    Input queue 0/75, 0 drops• îTלC%support.ruijie.com.cn¡Þ„Ç°øÀ´
  5 seconds input rate 864643768 bits/sec, 101582 packets/sec• îTלC%support.ruijie.com.cn¡Þ„Ç°øÀ´
  5 seconds output rate 1455736 bits/sec, 269 packets/sec• îTלC%support.ruijie.com.cn¡Þ„Ç°øÀ´
    128102811 packets input, 3028722988 bytes, 5 res lack, 0 no buffer,0 dropped• îTלC%support.ruijie.com.cn¡Þ„Ç°øÀ´
    Received 3534 broadcasts, 0 runts, 0 giants• îTלC%support.ruijie.com.cn¡Þ„Ç°øÀ´
    5 input errors, 0 CRC, 0 frame, 0 overrun, 0 abort• îTלC%support.ruijie.com.cn¡Þ„Ç°øÀ´
    505431 packets output, 375864815 bytes, 0 underruns,0 dropped• îTלC%support.ruijie.com.cn¡Þ„Ç°øÀ´
    0 output errors, 0 collisions, 0 interface resets• îTלC%support.ruijie.com.cn¡Þ„Ç°øÀ´
  Link Mode: 1000M/Full-Duplex• îTלC%support.ruijie.com.cn¡Þ„Ç°øÀ´
  Output flowcontrol is off;Input flowcontrol is off.• îTלC%support.ruijie.com.cn¡Þ„Ç°øÀ´
========================== GigabitEthernet 0/1 ========================• îTלC%support.ruijie.com.cn¡Þ„Ç°øÀ´
GigabitEthernet 0/1 is UP  , line protocol is UP• îTלC%support.ruijie.com.cn¡Þ„Ç°øÀ´
Hardware is PQ3 TSEC GIGABIT ETHERNET CONTR GigabitEthernet, address is 001a.a94• îTלC%support.ruijie.com.cn¡Þ„Ç°øÀ´
1.f511 (bia 001a.a941.f511)• îTלC%support.ruijie.com.cn¡Þ„Ç°øÀ´
Interface address is: 222.77.33.2/30• îTלC%support.ruijie.com.cn¡Þ„Ç°øÀ´
ARP type: ARPA,ARP Timeout: 3600 seconds• îTלC%support.ruijie.com.cn¡Þ„Ç°øÀ´
  MTU 1500 bytes, BW 1000000 Kbit• îTלC%support.ruijie.com.cn¡Þ„Ç°øÀ´
  Encapsulation protocol is Ethernet-II, loopback not set• îTלC%support.ruijie.com.cn¡Þ„Ç°øÀ´
  Keepalive interval is 10 sec , set• îTלC%support.ruijie.com.cn¡Þ„Ç°øÀ´
  Carrier delay is 2 sec• îTלC%support.ruijie.com.cn¡Þ„Ç°øÀ´
  RXload is 1 ,Txload is 1• îTלC%support.ruijie.com.cn¡Þ„Ç°øÀ´
  Queueing strategy: FIFO• îTלC%support.ruijie.com.cn¡Þ„Ç°øÀ´
    Output queue 0/40, 0 drops;• îTלC%support.ruijie.com.cn¡Þ„Ç°øÀ´
    Input queue 0/75, 0 drops• îTלC%support.ruijie.com.cn¡Þ„Ç°øÀ´
  5 seconds input rate 1727584 bits/sec, 252 packets/sec• îTלC%support.ruijie.com.cn¡Þ„Ç°øÀ´
  5 seconds output rate 1700152 bits/sec, 362 packets/sec• îTלC%support.ruijie.com.cn¡Þ„Ç°øÀ´
    469021 packets input, 425669196 bytes, 0 res lack, 0 no buffer,0 dropped• îTלC%support.ruijie.com.cn¡Þ„Ç°øÀ´
    Received 0 broadcasts, 0 runts, 0 giants• îTלC%support.ruijie.com.cn¡Þ„Ç°øÀ´
    0 input errors, 0 CRC, 0 frame, 0 overrun, 0 abort• îTלC%support.ruijie.com.cn¡Þ„Ç°øÀ´
    603586 packets output, 311332012 bytes, 0 underruns,0 dropped• îTלC%support.ruijie.com.cn¡Þ„Ç°øÀ´
    0 output errors, 0 collisions, 0 interface resets• îTלC%support.ruijie.com.cn¡Þ„Ç°øÀ´
  Link Mode: 100M/Full-Duplex• îTלC%support.ruijie.com.cn¡Þ„Ç°øÀ´
  Output flowcontrol is off;Input flowcontrol is off.• îTלC%support.ruijie.com.cn¡Þ„Ç°øÀ´
NBR2000#• îTלC%support.ruijie.com.cn¡Þ„Ç°øÀ´
• îTלC%support.ruijie.com.cn¡Þ„Ç°øÀ´
• îTלC%support.ruijie.com.cn¡Þ„Ç°øÀ´
NBR2000#sh ip f o all• îTלC%support.ruijie.com.cn¡Þ„Ç°øÀ´
Inner Network Online User:15• îTלC%support.ruijie.com.cn¡Þ„Ç°øÀ´
Total inbound original flowrate:888133 Kbps, Inner Network after rate-limit:1947• îTלC%support.ruijie.com.cn¡Þ„Ç°øÀ´
Kbps• îTלC%support.ruijie.com.cn¡Þ„Ç°øÀ´
Total outbound original flowrate:1613 Kbps, Inner Network after rate-limit:1403• îTלC%support.ruijie.com.cn¡Þ„Ç°øÀ´
Kbps• îTלC%support.ruijie.com.cn¡Þ„Ç°øÀ´
IP              Inbound(kb/s)  Outbound(kb/s)  Receive_IN(kb/s)  Receive_OUT(kb• îTלC%support.ruijie.com.cn¡Þ„Ç°øÀ´
/s)• îTלC%support.ruijie.com.cn¡Þ„Ç°øÀ´
Total            1947          1403            888133            1613• îTלC%support.ruijie.com.cn¡Þ„Ç°øÀ´
• îTלC%support.ruijie.com.cn¡Þ„Ç°øÀ´
================================================================================• îTלC%support.ruijie.com.cn¡Þ„Ç°øÀ´
===• îTלC%support.ruijie.com.cn¡Þ„Ç°øÀ´
To-Router-Local                                9                3• îTלC%support.ruijie.com.cn¡Þ„Ç°øÀ´
• îTלC%support.ruijie.com.cn¡Þ„Ç°øÀ´
192.168.1.8      246            999            246              1087• îTלC%support.ruijie.com.cn¡Þ„Ç°øÀ´
• îTלC%support.ruijie.com.cn¡Þ„Ç°øÀ´
192.168.1.4      99            400            109              519• îTלC%support.ruijie.com.cn¡Þ„Ç°øÀ´
• îTלC%support.ruijie.com.cn¡Þ„Ç°øÀ´
192.168.1.123    199            2              59759            2• îTלC%support.ruijie.com.cn¡Þ„Ç°øÀ´
• îTלC%support.ruijie.com.cn¡Þ„Ç°øÀ´
192.168.1.17    200            1              58080            1• îTלC%support.ruijie.com.cn¡Þ„Ç°øÀ´
• îTלC%support.ruijie.com.cn¡Þ„Ç°øÀ´
192.168.1.70    201            1              63442            1• îTלC%support.ruijie.com.cn¡Þ„Ç°øÀ´
• îTלC%support.ruijie.com.cn¡Þ„Ç°øÀ´
192.168.1.10    0              0              0                0• îTלC%support.ruijie.com.cn¡Þ„Ç°øÀ´
• îTלC%support.ruijie.com.cn¡Þ„Ç°øÀ´
192.168.1.6      0              0              0                0• îTלC%support.ruijie.com.cn¡Þ„Ç°øÀ´
• îTלC%support.ruijie.com.cn¡Þ„Ç°øÀ´
192.168.1.88    201            0              66300            0• îTלC%support.ruijie.com.cn¡Þ„Ç°øÀ´
• îTלC%support.ruijie.com.cn¡Þ„Ç°øÀ´
192.168.1.62    201            0              228724            0• îTלC%support.ruijie.com.cn¡Þ„Ç°øÀ´
• îTלC%support.ruijie.com.cn¡Þ„Ç°øÀ´
192.168.1.45    201            0              118725            0• îTלC%support.ruijie.com.cn¡Þ„Ç°øÀ´
• îTלC%support.ruijie.com.cn¡Þ„Ç°øÀ´
192.168.1.5      0              0              0                0• îTלC%support.ruijie.com.cn¡Þ„Ç°øÀ´
• îTלC%support.ruijie.com.cn¡Þ„Ç°øÀ´
192.168.1.21    200            0              223287            0• îTלC%support.ruijie.com.cn¡Þ„Ç°øÀ´
• îTלC%support.ruijie.com.cn¡Þ„Ç°øÀ´
192.168.1.7      0              0              0                0• îTלC%support.ruijie.com.cn¡Þ„Ç°øÀ´
• îTלC%support.ruijie.com.cn¡Þ„Ç°øÀ´
192.168.1.9      0              0              0                0• îTלC%support.ruijie.com.cn¡Þ„Ç°øÀ´
• îTלC%support.ruijie.com.cn¡Þ„Ç°øÀ´
192.168.1.89    199            0              69452            0• îTלC%support.ruijie.com.cn¡Þ„Ç°øÀ´
• îTלC%support.ruijie.com.cn¡Þ„Ç°øÀ´
NBR2000#• îTלC%support.ruijie.com.cn¡Þ„Ç°øÀ´
最后编辑rgrg绿色水果 最后编辑于 2010-05-14 11:04:30
本主题由 超级版主 rgrg绿色水果 于 2010-5-14 11:07:44 执行 移动主题 操作
分享 转发
TOP
老斑马
头像

老斑马

  • 超级版主
  • 240
  • 1023
  • 2009-09-30
2010-05-14 11:07 |只看该用户 2#
t T

好贴!• îTלC%support.ruijie.com.cn¡Þ„Ç°øÀ´
TOP
乌卡卡
头像

乌卡卡

  • 超级版主
  • 37
  • 260
  • 2009-12-25
2010-05-14 11:10 |只看该用户 3#
t T

• îTלC%support.ruijie.com.cn¡Þ„Ç°øÀ´
TOP
yujiewuhan
头像

yujiewuhan

  • 金牌会员
  • 113
  • 2437
  • 2010-03-02
2010-05-14 12:14 |只看该用户 4#
t T

学习!!!!• îTלC%support.ruijie.com.cn¡Þ„Ç°øÀ´
TOP
hululu
头像

hululu

  • 超级版主
  • 22
  • 132
  • 2010-04-14
2010-05-14 14:23 |只看该用户 5#
t T

• îTלC%support.ruijie.com.cn¡Þ„Ç°øÀ´
牛人的牛贴..• îTלC%support.ruijie.com.cn¡Þ„Ç°øÀ´
TOP
jgh4433_2008
头像

jgh4433_2008

  • 中级会员
  • 34
  • 364
  • 2008-03-29
2010-05-27 11:38 |只看该用户 6#
t T

我想向LZ请教一下,GigabitEthernet 0/0(Input与Output)和GigabitEthernet 0/1(Input与Output),内网口Input方向是指流入PC的方向,外网口Output方向是指访问外网的数据流量,这两个接口数据关联在一起是什么意思呢?• îTלC%support.ruijie.com.cn¡Þ„Ç°øÀ´
TOP
cdmufeng130
头像

  • 新手上路
  • 2
  • 37
  • 2010-05-28
2010-05-28 20:10 |只看该用户 7#
t T

好东西,我刚才正在发帖子找这个命令呢,呵呵,顶了,谢谢• îTלC%support.ruijie.com.cn¡Þ„Ç°øÀ´
TOP
super
头像

super

  • 版主
  • 1792
  • 7336
  • 2006-04-17
2010-06-08 22:12 |只看该用户 8#
t T

内网口G0/0接口input流量为86M左右,G0/1口的output流量只有17M• îTלC%support.ruijie.com.cn¡Þ„Ç°øÀ´
• îTלC%support.ruijie.com.cn¡Þ„Ç°øÀ´
GigabitEthernet 0/0• îTלC%support.ruijie.com.cn¡Þ„Ç°øÀ´
5 seconds input rate 864643768 bits/sec, 101582 packets/sec • îTלC%support.ruijie.com.cn¡Þ„Ç°øÀ´
5 seconds output rate 1455736 bits/sec, 269 packets/sec • îTלC%support.ruijie.com.cn¡Þ„Ç°øÀ´
• îTלC%support.ruijie.com.cn¡Þ„Ç°øÀ´
GigabitEthernet 0/1 :• îTלC%support.ruijie.com.cn¡Þ„Ç°øÀ´
5 seconds input rate 1727584 bits/sec, 252 packets/sec • îTלC%support.ruijie.com.cn¡Þ„Ç°øÀ´
5 seconds output rate 1700152 bits/sec, 362 packets/sec • îTלC%support.ruijie.com.cn¡Þ„Ç°øÀ´
• îTלC%support.ruijie.com.cn¡Þ„Ç°øÀ´
数值不对吧?• îTלC%support.ruijie.com.cn¡Þ„Ç°øÀ´
TOP
rgrg绿色水果
头像

rgrg绿色水果

  • 超级版主
  • 1349
  • 4688
  • 2007-01-10
2010-06-09 10:18 |只看楼主 9#
t T

是啊.就是因为数据不正常引起的故障.说明流只到内网口.• îTלC%support.ruijie.com.cn¡Þ„Ç°øÀ´
TOP
猪头王子
头像

  • 超级版主
  • 716
  • 4841
  • 2010-04-12
2010-06-09 17:36 |只看该用户 10#
t T

顶起。。。• îTלC%support.ruijie.com.cn¡Þ„Ç°øÀ´
TOP
返回列表
上一主题 | 下一主题