故障描述:外网路由器CPU不固定时间飙高100%,导致内网用户无法上网。 1、查看故障信息 display cpu Unit CPU usage:
18% in last 5 seconds 18% in last 1 minute 17% in last 5 minutes
display cpu hi
100%| ######### 95%| ######### 90%| ######### 85%| ######### 80%| ######### 75%| ######### 70%| ######### 65%| ######### 60%| ######### 55%| ######### 50%| ######### 45%| ######### 40%| ######### 35%| #########
30%| ######### #
25%| ########## ## ### # 20%|## ################## # ##### ############################# 15%|############################################################ 10%|############################################################ 5%|############################################################ ------------------------------------------------------------
10 20 30 40 50 60 (minutes) cpu-usage last 60 minutes(SYSTEM
system-view _h
display cpu task
TaskName CPU Runtime(CPU Tick High/CPU Tick Low) VIDL 37% 0/ cae5c4b TICK 0% 0/ 2235e0 STMR 1% 0/ 591153 DrTF 52% 0/119800ed DrTm 0% 0/ 1032d IPCM 0% 0/ 335f INFO 0% 0/ 23dcf DEV 0% 0/ 126ec SOCK 6% 0/ 2518b55 SFLW 0% 0/ 532f ACL 0% 0/ 75ec LAGG 0% 0/ 3617 MSTP 0% 0/ 30ac GARP 0% 0/ 21e15 CLST 0% 0/ ebbb NDP 0% 0/ 6113 NTDP 0% 0/ 29dd HABP 0% 0/ 22d5 LLDP 0% 0/ 291e ACFP 0% 0/ 37e ARP 0% 0/ 1f14d IP 0% 0/ 156450 NQA 0% 0/ 1a1f11 FSLH 0% 0/ 1f55 FSLR 0% 0/ 1d2c7 NTPT 0% 0/ 3bd7 VTYD 0% 0/ 2a170 ND 0% 0/ 33a61 PBR 0% 0/ 10ea CWMP 0% 0/ 7329 ACM 0% 0/ 1427d LS 0% 0/ 253bc RDSO 0% 0/ 164be SC 0% 0/ a2fa IKE 0% 0/ 110edc L2TP 0% 0/ 1a064 ULOG 0% 0/ 20ed4 BFD 0% 0/ 18493 MFIB 0% 0/ 438 STND 0% 0/ f33b
ROUT 0% 0/ 196fbc IPP 0% 0/ 23c6 SIP 0% 0/ 1518f TSsm 0% 0/ 149da WIDS 0% 0/ 17427 IFNT 0% 0/ 309b vt2 0% 0/ 3ba146
display task Display task 18
抓取信息交予 H3C 400 分析
cpu不稳定增高并到100%,导致业务不正常,查看进程DrTF 52% 0/119800ed 为系统转发进程。路由器流量上送CPU。判定为系统流量过大(可能内网用户中毒攻击)
2、Display logb 查看日志 看是否由事件发生(如SSH登陆攻击 路由表动荡、更改配置导致cpu飙高)
DIS TRAP 查看告警信息
3、Disp interface 查看流量比例 error crc 广播 组播报文 附:
The Maximum Transmit Unit is 1500
Internet Address is 10.10.10.1/29 Primary
IP Packet Frame Type: PKTFMT_ETHNT_2, Hardware Address: 000f-e261-591e IPv6 Packet Frame Type: PKTFMT_ETHNT_2, Hardware Address: 000f-e261-591e Media type is twisted pair, loopback not set, promiscuous mode not set 1000Mb/s, Full-duplex, link type is autonegotiation
Output flow-control is disabled, input flow-control is disabled
Output queue : (Urgent queuing : Size/Length/Discards) 0/100/0 Output queue : (Protocol queuing : Size/Length/Discards) 0/500/0 Output queue : (FIFO queuing : Size/Length/Discards) 0/75/221 Last clearing of counters: 12:29:44 Sat 07/18/2015
Last 300 seconds input rate 789998.56 bytes/sec, 6319988 bits/sec, 3205.15 packets/sec Last 300 seconds output rate 3422041.50 bytes/sec, 27376332 bits/sec, 4266.08 packets/sec Input: 675942856 packets, 338066929 bytes, 675942856 buffers 2047 broadcasts, 4064 multicasts, 0 pauses 13914594 errors, 0 runts, 0 giants 1 crc, 0 align errors, 0 overruns
0 dribbles, 0 drops, 13914593 no buffers
Output:852596260 packets, 3192830905 bytes, 852596260 buffers 911 broadcasts, 0 multicasts, 0 pauses 0 errors, 0 underruns, 0 collisions 0 deferred, 0 lost carriers
判断受攻击的端口(内网、外网 eth2/0 gi0/1 gi0/2端口)查看cpu情况 如:切断内网口gi10/0 cpu利用率会下降
4、对内网口进行抓包分析具体的报文 定义ACL 抓包对 inbound方向 acl number 2100 rule 10 permit int gi10/0
firewall packet-filter 2100 in quit
debugging ip packet acl 2100 ter m ter deb
5、连接笔记本用wireshare抓包进行分析