关于控制冲击波病毒的处理
关于控制“冲击波”病毒的处理
一、 情况简述
近日因“冲击波”病毒和“冲击波杀手”病毒的影响,在发现网络上出现大量访问目的端口135、445等TCP包和巨量的ICMP包,短时甚至影响到交换机的CPU利用率。4506(S3引擎)短时CPU利用率达到90%。
二、 采取措施方法
1、4506上的处理
针对上述情况,首先在4506上进行了如下访问控制:
vlan access-map drop_udp_1434 10
action drop
match ip address udp_1434
vlan access-map drop_udp_1434 15
action drop
match ip address cjb
vlan access-map drop_udp_1434 20
action forward
match ip address ip_match
vlan filter drop_udp_1434 vlan-list 1-4094
!
„„
ip access-list extended cjb
permit tcp any any eq 4444
permit tcp any eq 135 any
permit tcp any eq 137 any
ip access-list extended ip_match
permit ip any any
不到半小时即拦截了几十万个源端口为135的TCP包。
然后在该设备上增加了“冲击波”病毒的所有特征包:
permit tcp any any eq 135
permit tcp any any eq 139
permit tcp any any eq 445
permit tcp any any eq 593
permit udp any any eq tftp
permit udp any any eq 135
permit udp any any eq netbios-ns
permit udp any any eq netbios-dgm
permit udp any any eq netbios-ss
permit tcp any eq 139 any
permit tcp any eq 4444 any
permit tcp any eq 445 any
permit tcp any eq 593 any
permit udp any eq tftp any
permit udp any eq 135 any
permit udp any eq netbios-ns any
permit udp any eq netbios-dgm any
permit udp any eq netbios-ss any
加上后,效果更为显著,拦截情况如下:
4506#sh ip acce
Standard IP access list 98
permit 61.174.90.0, wildcard bits 0.0.1.255 (6 matches) check=2537 permit 10.10.8.0, wildcard bits 0.0.0.63 (1502 matches) check=2537 permit 10.11.44.224, wildcard bits 0.0.0.31 (1127 matches) check=2535 deny any log (130326 matches)
Standard IP access list 99
permit 210.5.19.221 log (4 matches)
permit 61.174.90.0, wildcard bits 0.0.1.255 log (14 matches) check=8 permit 10.10.8.0, wildcard bits 0.0.0.31 log (8 matches)
Extended IP access list cjb
permit tcp any any eq 4444 (348 matches)
permit tcp any eq 135 any (164 matches)
permit tcp any eq 137 any
permit tcp any any eq 135 (19920115 matches)
permit tcp any any eq 139 (2936995 matches)
permit tcp any any eq 445 (5761882 matches)
permit tcp any any eq 593
permit udp any any eq tftp (28 matches)
permit udp any any eq 135 (32629 matches)
permit udp any any eq netbios-ns (1073867 matches)
permit udp any any eq netbios-dgm (279542 matches)
permit udp any any eq netbios-ss
permit tcp any eq 139 any (3517 matches)
permit tcp any eq 4444 any (2485 matches)
permit tcp any eq 445 any (42 matches)
permit tcp any eq 593 any
permit udp any eq tftp any (12 matches)
permit udp any eq 135 any (6 matches)
permit udp any eq netbios-ns any (9912 matches)
permit udp any eq netbios-dgm any (20 matches)
permit udp any eq netbios-ss any (6 matches)
Extended IP access list ip_match
permit ip any any (2042995121 matches)
Extended IP access list udp_1434
permit udp any any eq 1434 (19230 matches)
4506#
至此, 4506设备CPU利用率比较稳定(基本处在10%以下,峰值也未发现超过20%)。
2、6509上处理
6509增加访问控制。
配置如下:
#WORM1
set security acl ip WORM1 permit arp
set security acl ip WORM1 deny udp any any eq 1434
set security acl ip WORM1 deny tcp any any eq 4444
set security acl ip WORM1 deny tcp any eq 135 any
set security acl ip WORM1 deny tcp any eq 137 any
set security acl ip WORM1 deny tcp any any eq 135
set security acl ip WORM1 deny tcp any any eq 139
set security acl ip WORM1 deny tcp any any eq 445
set security acl ip WORM1 deny tcp any any eq 593
set security acl ip WORM1 deny udp any any eq 69
set security acl ip WORM1 deny udp any any eq 135
set security acl ip WORM1 deny udp any any eq 137
set security acl ip WORM1 deny udp any any eq 138
set security acl ip WORM1 deny tcp any eq 139 any
set security acl ip WORM1 deny tcp any eq 4444 any
set security acl ip WORM1 deny tcp any eq 445 any
set security acl ip WORM1 deny tcp any eq 593 any
set security acl ip WORM1 deny udp any eq 69 any
set security acl ip WORM1 deny udp any eq 135 any
set security acl ip WORM1 deny udp any eq 137 any
set security acl ip WORM1 deny udp any eq 138 any
set security acl ip WORM1 permit ip any any
#
commit security acl all
set security acl map WORM1 2-100,200-490,492-799,801-829,831-900
!
效果示例:
配置前:
6509>sh mls stat en ip source 218.72.250.227
Last Used
Destination IP Source IP Prot DstPrt SrcPrt Stat-Pkts Stat-Bytes
---------------- --------------- ----- ------ ------ ---------- ---------------
218.70.116.233 218.72.250.227 ICMP 0 0 1 92 218.70.116.148 218.72.250.227 ICMP 0 0 1 92
218.70.116.141 218.72.250.227 ICMP 0 0 1 92 141.155.94.96 218.72.250.227 TCP 445 1924 2 96 218.70.119.251 218.72.250.227 ICMP 0 0 1 92 218.70.119.134 218.72.250.227 ICMP 0 0 1 92 218.70.119.42 218.72.250.227 ICMP 0 0 1 92 218.70.119.101 218.72.250.227 ICMP 0 0 1 92 218.70.114.230 218.72.250.227 ICMP 0 0 1 92 218.70.114.97 218.72.250.227 ICMP 0 0 1 92 218.70.115.111 218.72.250.227 ICMP 0 0 1 92 218.70.115.11 218.72.250.227 ICMP 0 0 1 92 218.70.115.167 218.72.250.227 ICMP 0 0 1 92 10.229.192.24 218.72.250.227 TCP 445 2994 1 48 218.70.112.50 218.72.250.227 ICMP 0 0 1 92 218.70.112.43 218.72.250.227 ICMP 0 0 1 92 218.70.120.238 218.72.250.227 ICMP 0 0 1 92 182.220.27.115 218.72.250.227 TCP 445 2128 1 48 218.70.133.169 218.72.250.227 TCP 135 3380 3 144 218.70.123.206 218.72.250.227 ICMP 0 0 1 92 218.70.111.193 218.72.250.227 TCP 135 4930 1 48 218.70.126.225 218.72.250.227 ICMP 0 0 1 92 218.70.127.113 218.72.250.227 ICMP 0 0 1 92 218.70.127.160 218.72.250.227 ICMP 0 0 1 92 10.160.95.188 218.72.250.227 TCP 445 1837 2 96 117.99.35.56 218.72.250.227 TCP 445 3746 2 96 218.70.139.43 218.72.250.227 TCP 135 1449 1 48 218.70.147.42 218.72.250.227 TCP 135 4497 2 96 218.70.108.96 218.72.250.227 ICMP 0 0 1 92 218.70.108.121 218.72.250.227 ICMP 0 0 1 92 218.70.108.54 218.72.250.227 ICMP 0 0 1 92 218.70.108.47 218.72.250.227 ICMP 0 0 1 92 218.70.108.154 218.72.250.227 ICMP 0 0 1 92 218.70.108.131 218.72.250.227 ICMP 0 0 1 92 218.70.108.168 218.72.250.227 ICMP 0 0 1 92 131.168.3.224 218.72.250.227 TCP 445 4706 2 96 218.27.159.17 218.72.250.227 TCP 445 4452 2 96 218.70.110.134 218.72.250.227 ICMP 0 0 1 92 80.55.43.153 218.72.250.227 TCP 445 3675 2 96 135.95.63.241 218.72.250.227 TCP 445 1733 2 96 218.70.106.68 218.72.250.227 ICMP 0 0 1 92 13.12.105.185 218.72.250.227 TCP 445 3465 1 48 „„
配置后:
6509> (enable) sh mls statistics entry ip source 218.72.250.227
Last Used
Destination IP Source IP Prot DstPrt SrcPrt Stat-Pkts Stat-Bytes ---------------- --------------- ----- ------ ------ ---------- ---------------
218.72.29.130 218.72.250.227 ICMP 0 0 1 92 218.72.31.209 218.72.250.227 ICMP 0 0 1 92 218.72.31.79 218.72.250.227 ICMP 0 0 1 92 218.72.31.86 218.72.250.227 ICMP 0 0 1 92 218.72.30.37 218.72.250.227 ICMP 0 0 1 92 218.72.27.141 218.72.250.227 ICMP 0 0 1 92 218.72.25.199 218.72.250.227 ICMP 0 0 1 92 218.72.24.42 218.72.250.227 ICMP 0 0 1 92 218.72.24.201 218.72.250.227 ICMP 0 0 1 92 218.72.22.175 218.72.250.227 ICMP 0 0 1 92 218.72.22.224 218.72.250.227 ICMP 0 0 1 92 218.72.23.13 218.72.250.227 ICMP 0 0 1 92 218.72.23.161 218.72.250.227 ICMP 0 0 1 92 218.72.43.15 218.72.250.227 ICMP 0 0 1 92 218.72.42.124 218.72.250.227 ICMP 0 0 1 92 218.72.42.134 218.72.250.227 ICMP 0 0 1 92 218.72.42.173 218.72.250.227 ICMP 0 0 1 92 218.72.32.165 218.72.250.227 ICMP 0 0 1 92 218.72.35.27 218.72.250.227 ICMP 0 0 1 92 218.72.35.77 218.72.250.227 ICMP 0 0 1 92 218.72.38.73 218.72.250.227 ICMP 0 0 1 92 218.72.36.103 218.72.250.227 ICMP 0 0 1 92 218.72.37.238 218.72.250.227 ICMP 0 0 1 92 218.70.155.99 218.72.250.227 ICMP 0 0 1 92 应该说明已有效拦截了各种端口为135、445的包。
三、 存在问题
1、目前的配置不对ICMP包进行拦截,因此在网络上仍然存在着大量的ping包。
2、在对6509进行配置的过程中,出现个别VLAN因ACL engine TCAM table full错误而无法应用该ACL。
如在6509上,VLAN 491、800、830均出现如下提示:
Hardware capacity exceeded. Out of ACL space.
Failed to map VLAN 491 to ACL WORM1.
XDL6509> (enable) 2003 Aug 21 11:37:16 %ACL-3-TCAMFULL:Acl engine TCAM table is full
嘉兴电信分公司监控维护中心
徐一鸣
2006年3月23日