52ky 发表于 2022-9-10 14:34:24

记一次现场排障分析之DDOS攻击

接到客户求助,近来进行了一次网络“出诊”。这是一个由傀儡主机的ddos攻击引起的网络故障,案例对比典型,排错进程也颇弯曲。笔者就还原其进程,与大家共享。)1.网络环境这个客户是一家化工企业,网络设计不大。十多台交换机组建的局域网,节点大概150个左右。没有区分VLAN,—部分主机运行IPX协议,另一部分运行TCP/IP协议。其间只有少量主机能够访问Internet,接入模式为ADSL路由器直接连接网络中的一台交换机。ADSL路由器中启用了其自带防火墙功能,一切能够上网的主机安装了防病毒软件。2.故障描述近来的某一天,全面网络突然瘫痪。能够看到一切交换机端口指示灯急速闪耀,测试得知网络中任意两台主机之间不能彼此ping通,一切网络使用均不能正常进行。在拔掉部分网线(交换机之间的级连线)后,表现有所减缓,最终恢复正常。将拔掉的网线逐个插回原位,故障景象未从头呈现。尔后这种景象不守时、无规律地呈现。

(After receiving a customer's help, I recently made an online "outcall". This is a network failure caused by the ddos ??attack of the puppet host. The case is relatively typical, and the troubleshooting process is also quite curved. The author will restore its process and share it with you. ) 1. Network environment The client is a chemical company, and the network design is not large. A local area network consisting of more than ten switches has about 150 nodes. There is no distinction between VLANs, - some hosts run the IPX protocol, and the other run the TCP/IP protocol. During this period, only a small number of hosts can access the Internet, and the access mode is that the ADSL router directly connects to a switch in the network. The ADSL router has enabled its own firewall function, and all hosts that can access the Internet have installed anti-virus software. 2. Fault description One day recently, the entire network was suddenly paralyzed. It can be seen that the indicator lights of all switch ports are flashing rapidly. The test shows that any two hosts in the network cannot ping each other, and all network use cannot be performed normally. After unplugging part of the network cable (level connection between switches), the performance slowed down and finally returned to normal. Insert the unplugged network cables back to their original positions one by one, and the fault situation does not reappear. Since then, this scene has appeared irregularly and irregularly.)




页: [1]
查看完整版本: 记一次现场排障分析之DDOS攻击