Skip to content

huawei ağ ekipmanlarında cpu-depend ile paket analizi – 2

huawei ağ ekipmanlarında cpu-depend ile paket analizi yazısında temel olarak cpu-depend komutuna, kullanım amacına değinilmişti. bu yazıda ise daha özelleştirilmiş fonksiyonlarına göz atalım…

eğer bir slottakii servisleri ait bir incele yapmak istersek

[fc-route]  display cpu-defend application-apperceive statistics slot 3
Slot      Attack-Type               Total-Packets Passed-Packets Dropped-Packets
--------------------------------------------------------------------------------
3         Application-Apperceive         12488631       12488631              0
--------------------------------------------------------------------------------
          FTPSERVER                             0              0              0
          SSHSERVER                             0              0              0
          SNMP                                  0              0              0
          TELNETSERVER                          0              0              0
          TFTPCLIENT                            0              0              0
          BGP                                   0              0              0
          LDP                                   0              0              0
          RSVP                                  0              0              0
          OSPFV2                                0              0              0
          RIP                                   0              0              0
          ISIS                            2455839        2455839              0
          ICMP                                482            482              0
          MSDP                                  0              0              0
          PIM                                   0              0              0
          DHCP                            1914136        1914136              0
          LACP                            2306476        2306476              0
          RADIUS                                0              0              0
          HWTACACS                              0              0              0
          LSPPING                               0              0              0
          IGMP                            5811698        5811698              0
          RRPP                                  0              0              0
          VRRP                                  0              0              0
          BFD                                   0              0              0
          MPLSOAM                               0              0              0
          802_1ag                               0              0              0
          DNSCLIENT                             0              0              0
          WEB_AUTH_SERVER                       0              0              0
          UNICAST_VRRP                          0              0              0
          IPFPM                                 0              0              0
--------------------------------------------------------------------------------

şüphelendiğimiz protokolleri/servisleri daha yakından incelemek istersek, arp için

[fc-route]display cpu-defend car protocol arp statistics             
 Slot               : 3
 Application switch : Close
 Default Action     : Drop
--------------------------------------------
 IPV4 ARP packet 
 Protocol switch: N/A
 Packet information:
  Passed packet(s)  : 10766537             
  Dropped packet(s) : 0                    
 Configuration information:
  Configured CIR : 448     kbps       Actual CIR in NP : 448     kbps
  Configured CBS : 60000   bytes      Actual CBS in NP : 60000   bytes
  Priority : The protocol has several CAR which have different priority.You can query the information by CAR
  Min-packet-length : NA
  CIR Configuration Type: Default
 History information: 
  Last drop: 
   Start time: -
   End   time: -
   Last drop rate(pps): -
   Total dropped packet(s): -
  Peak rate: 
   Time: 2018-11-13 17:04:28              
   Peak rate(pps): 1                   

slot 1 deki bgp protokü için ise

[fc-route] display cpu-defend car protocol bgp statistics slot 1
Slot                       :1
Application switch         :Open
Default Action             :Min-to-cp
-----------------------------------------------
BGP Packet
Protocol switch             :Close
Packet information         :
 Passed packet(s)         :0
 Dropped packet(s)        :0
  Peak drop rate    : 1075395    pps     2014-07-08 19:49:47
  Last drop rate    : 1008235    pps     2014-07-08 19:51:47


Configuration information  :
 Configured CIR: 512 kbps       Actual CIR in NP: 100 kbps
 Configured CBS: 9000000 bytes  Actual CBS in NP: 9000000 bytes
 Priority: BE
 Min-packet-length: 128 bytes

kullanılabilir.

huawei ağ ekipmanlarında cpu-depend ile paket analizi

güvenlik ve hizmet kalitesi açısından ağ ekipmanlarında sistem kaynaklarını ve trafikleri incelemek her zaman önemli olmuştur.

huawei ağ ekipmanlarında bir arayüzdeki, protokollerdeki durumu paket bazlı incelemek istersek cpu-depend istatistik komut işimize yarayacaktır.

komut dizilimi aşağıdaki şekildedir. bu durum ağ ekipmanı ve üzerindeki işletim sistemi versiyonuna göre değişiklik gösterebilir.

display cpu-defend { all | application-apperceive | tcpip-defend | total-packet | urpf } statistics [ slot slot-id ]

display cpu-defend ma-defend statistics [ slot slot-id ]

display cpu-defend car { blacklist | whitelist | whitelist-v6 | index index | user-defined-flow flow-id | fragment | tcpsyn } statistics [ slot slot-id ]

display cpu-defend car protocol { 802.1ag | arp | bfd | bgp | bpdu | arp-miss | ipv4-fib-miss | ipv4-multicast-fib-miss | ipv4-ttl-expire | ipv6-fib-miss | ipv6-nd-miss | ipv6-ttl-expire | lldp | mpls-arp-miss | mpls-ttl-expire | bgpv6 | ftpv6-client | ftpv6-server | icmpv6 | ospfv3 | pimv6 | sshv6-server | telnetv6-client | telnetv6-server | dhcp | dns-client | ftp-client | ftp-server | hwtacacs | icmp | igmp | isis | lacp | ldp | lspping | msdp | ntp | ospf | pim | radius | rip | rsvp | snmp | ssh-client | ssh-server | telnet-client | telnet-server | tftp | vrrp | syslog | tftpv6-client | dnsv6 | netstream | snmpv6 | eapol | rs | ra | ns | na | mld | dhcpv6 } statistics [ slot slot-id ]

cpu-depend ile genel olarak arayüz, donanım ve protokol bazlı özelleştirebilir olarak paket analizi yapılmasını sağlar.

çıktılarda temel olarak anormal seviyedeki paket durumu irdelenmelidir. örnek olarak aktif olmayan bir servis için doğru şekilde yapılandırma yoksa bu protokol/servis için oluşturulan paketler drop edilecektir. bu durum ise protokol veya servis için bir saldırı göstergesi olabilir. paketlerin drop edilmesi işlerin kısmen yolunda olduğunu gösterebilir ancak bu drop işlemi içinde sistem kaynağı tüketilmektedir. doğru şekilde yapılandırılma yoksa bu şekilde bir saldırı ile aşırı sistem tüketimi vb farklı sorunlar ortaya çıkacaktır. bu hizmet kalitesini etkileyebilecek ve farklı güvenlik problemlerine neden olabilecektir.

cpu-depend in en temel çıktısı aşagıdaki gibi olacaktır.

[fc-route]display cpu-defend all statistics 
Slot/Intf Attack-Type               Total-Packets Passed-Packets Dropped-Packets
--------------------------------------------------------------------------------
1         Application-Apperceive         13166418       13166418              0
--------------------------------------------------------------------------------
          FTPSERVER                             0              0              0
          SSHSERVER                             0              0              0
          SNMP                                  1              1              0
          TELNETSERVER                          0              0              0
          TFTPCLIENT                            0              0              0
          BGP                                   0              0              0
          LDP                                   0              0              0
          RSVP                                  0              0              0
          OSPFV2                                0              0              0
          RIP                                 662            662              0
          ISIS                            7880595        7880595              0
          ICMP                             109827         109827              0
          MSDP                                102            102              0
          PIM                                   0              0              0
          DHCP                            4027692        4027692              0
          LACP                                  0              0              0
          RADIUS                              113            113              0
          HWTACACS                             10             10              0
          LSPPING                               2              2              0
          IGMP                            1145546        1145546              0
          RRPP                                  0              0              0
          VRRP                                  0              0              0
          BFD                                   0              0              0
          MPLSOAM                               0              0              0
          802_1ag                               0              0              0
          DNSCLIENT                          1783           1783              0
          WEB_AUTH_SERVER                      85             85              0
          UNICAST_VRRP                          0              0              0
          IPFPM                                 0              0              0
--------------------------------------------------------------------------------
1         MA-Defend                             0              0              0
--------------------------------------------------------------------------------
          FTP                                   0              0              0
          SSH                                   0              0              0
          SNMP                                  0              0              0
          TELNET                                0              0              0
          TFTP                                  0              0              0
          BGP                                   0              0              0
          LDP                                   0              0              0
          RSVP                                  0              0              0
          OSPF                                  0              0              0
          RIP                                   0              0              0
--------------------------------------------------------------------------------
1         URPF                                  0              0              0
--------------------------------------------------------------------------------
1         Tcpip-defend                       3521              2           3519
--------------------------------------------------------------------------------
          Abnormal-packet                       0              0              0
          Fragment-packet                       2              2              0
          Tcpsyn-packet                         0              0              0
          Udp-packet                         3519              0           3519
--------------------------------------------------------------------------------
2         Application-Apperceive          4881512        4881512              0
--------------------------------------------------------------------------------
          FTPSERVER                             0              0              0
          SSHSERVER                             0              0              0
          SNMP                                  0              0              0
          TELNETSERVER                          0              0              0
          TFTPCLIENT                            0              0              0
          BGP                                   0              0              0
          LDP                                   0              0              0
          RSVP                                  0              0              0
          OSPFV2                                0              0              0
          RIP                                   0              0              0
          ISIS                            2453572        2453572              0
          ICMP                                 29             29              0
          MSDP                                  0              0              0
          PIM                                   0              0              0
          DHCP                               3174           3174              0
          LACP                             578060         578060              0
          RADIUS                                0              0              0
          HWTACACS                              1              1              0
          LSPPING                               0              0              0
          IGMP                            1846676        1846676              0
          RRPP                                  0              0              0
          VRRP                                  0              0              0
          BFD                                   0              0              0
          MPLSOAM                               0              0              0
          802_1ag                               0              0              0
          DNSCLIENT                             0              0              0
          WEB_AUTH_SERVER                       0              0              0
          UNICAST_VRRP                          0              0              0
          IPFPM                                 0              0              0
--------------------------------------------------------------------------------
2         MA-Defend                             0              0              0
--------------------------------------------------------------------------------
          FTP                                   0              0              0
          SSH                                   0              0              0
          SNMP                                  0              0              0
          TELNET                                0              0              0
          TFTP                                  0              0              0
          BGP                                   0              0              0
          LDP                                   0              0              0
          RSVP                                  0              0              0
          OSPF                                  0              0              0
          RIP                                   0              0              0
--------------------------------------------------------------------------------
2         URPF                                  0              0              0
--------------------------------------------------------------------------------
2         Tcpip-defend                          7              0              7
--------------------------------------------------------------------------------
          Abnormal-packet                       0              0              0
          Fragment-packet                       0              0              0
          Tcpsyn-packet                         0              0              0
          Udp-packet                            7              0              7
--------------------------------------------------------------------------------

ethernet paket yapısı – ethertype

iana.org tarafından yayınlanan ethernet paketinde kullanılan ethertype listesi aşağıdaki gibidir.

ethertype  hakkkında daha detaylı liste http://standards.ieee.org/develop/regauth/ethertype/eth.txt adresinden temin edilebilir.. listede dikkat çeken 804A ethertype i mevcut.. METU Bilgisayar mühendisliği olarak işlenmiş ancak detayını merak ederseniz google cevap vermiyor 🙂

Ethertype (decimal) Ethertype (hex)   Exp. Ethernet (decimal) Exp. Ethernet (octal)   Description  
0 0000-05DC IEEE802.3 Length Field
257 0101-01FF Experimental
512 200 512 1000 XEROX PUP (see 0A00)
513 201 PUP Addr Trans (see 0A01)
400 Nixdorf
1536 600 1536 3000 XEROX NS IDP
660 DLOG
661 DLOG
2048 800 513 1001 Internet Protocol version 4 (IPv4)
2049 801 X.75 Internet
2050 802 NBS Internet
2051 803 ECMA Internet
2052 804 Chaosnet
2053 805 X.25 Level 3
2054 806 Address Resolution Protocol (ARP)
2055 807 XNS Compatability
2056 808 Frame Relay ARP
2076 081C Symbolics Private
2184 0888-088A Xyplex
2304 900 Ungermann-Bass net debugr
2560 0A00 Xerox IEEE802.3 PUP
2561 0A01 PUP Addr Trans
2989 0BAD Banyan VINES
2990 0BAE VINES Loopback
2991 0BAF VINES Echo
4096 1000 Berkeley Trailer nego
4097 1001-100F Berkeley Trailer encap/IP
5632 1600 Valid Systems
22F3 TRILL
22F4 L2-IS-IS
16962 4242 PCS Basic Block Protocol
21000 5208 BBN Simnet
24576 6000 DEC Unassigned (Exp.)
24577 6001 DEC MOP Dump/Load
24578 6002 DEC MOP Remote Console
24579 6003 DEC DECNET Phase IV Route
24580 6004 DEC LAT
24581 6005 DEC Diagnostic Protocol
24582 6006 DEC Customer Protocol
24583 6007 DEC LAVC, SCA
24584 6008-6009 DEC Unassigned
24592 6010-6014 3Com Corporation
25944 6558 Trans Ether Bridging
25945 6559 Raw Frame Relay
28672 7000 Ungermann-Bass download
28674 7002 Ungermann-Bass dia/loop
28704 7020-7029 LRT
28720 7030 Proteon
28724 7034 Cabletron
32771 8003 Cronus VLN
32772 8004 Cronus Direct
32773 8005 HP Probe
32774 8006 Nestar
32776 8008 AT&T
32784 8010 Excelan
32787 8013 SGI diagnostics
32788 8014 SGI network games
32789 8015 SGI reserved
32790 8016 SGI bounce server
32793 8019 Apollo Domain
32814 802E Tymshare
32815 802F Tigan, Inc.
32821 8035 Reverse Address Resolution Protocol (RARP)
32822 8036 Aeonic Systems
32824 8038 DEC LANBridge
32825 8039-803C DEC Unassigned
32829 803D DEC Ethernet Encryption
32830 803E DEC Unassigned
32831 803F DEC LAN Traffic Monitor
32832 8040-8042 DEC Unassigned
32836 8044 Planning Research Corp.
32838 8046 AT&T
32839 8047 AT&T
32841 8049 ExperData
32859 805B Stanford V Kernel exp.
32860 805C Stanford V Kernel prod.
32861 805D Evans & Sutherland
32864 8060 Little Machines
32866 8062 Counterpoint Computers
32869 8065 Univ. of Mass. @ Amherst
32870 8066 Univ. of Mass. @ Amherst
32871 8067 Veeco Integrated Auto.
32872 8068 General Dynamics
32873 8069 AT&T
32874 806A Autophon
32876 806C ComDesign
32877 806D Computgraphic Corp.
32878 806E-8077 Landmark Graphics Corp.
32890 807A Matra
32891 807B Dansk Data Elektronik
32892 807C Merit Internodal
32893 807D-807F Vitalink Communications
32896 8080 Vitalink TransLAN III
32897 8081-8083 Counterpoint Computers
32923 809B Appletalk
32924 809C-809E Datability
32927 809F Spider Systems Ltd.
32931 80A3 Nixdorf Computers
32932 80A4-80B3 Siemens Gammasonics Inc.
32960 80C0-80C3 DCA Data Exchange Cluster
32964 80C4 Banyan Systems
32965 80C5 Banyan Systems
32966 80C6 Pacer Software
32967 80C7 Applitek Corporation
32968 80C8-80CC Intergraph Corporation
32973 80CD-80CE Harris Corporation
32975 80CF-80D2 Taylor Instrument
32979 80D3-80D4 Rosemount Corporation
32981 80D5 IBM SNA Service on Ether
32989 80DD Varian Associates
32990 80DE-80DF Integrated Solutions TRFS
32992 80E0-80E3 Allen-Bradley
32996 80E4-80F0 Datability
33010 80F2 Retix
33011 80F3 AppleTalk AARP (Kinetics)
33012 80F4-80F5 Kinetics
33015 80F7 Apollo Computer
33023 80FF Wellfleet Communications
33024 8100 Customer VLAN Tag Type (C-Tag, formerly called the Q-Tag) (initially Wellfleet)
33025 8101-8103 Wellfleet Communications
33031 8107-8109 Symbolics Private
33072 8130 Hayes Microcomputers
33073 8131 VG Laboratory Systems
33074 8132-8136 Bridge Communications
33079 8137-8138 Novell, Inc.
33081 8139-813D KTI
8148 Logicraft
8149 Network Computing Devices
814A Alpha Micro
33100 814C SNMP
814D BIIN
814E BIIN
814F Technically Elite Concept
8150 Rational Corp
8151-8153 Qualcomm
815C-815E Computer Protocol Pty Ltd
8164-8166 Charles River Data System
817D XTP
817E SGI/Time Warner prop.
8180 HIPPI-FP encapsulation
8181 STP, HIPPI-ST
8182 Reserved for HIPPI-6400
8183 Reserved for HIPPI-6400
8184-818C Silicon Graphics prop.
818D Motorola Computer
819A-81A3 Qualcomm
81A4 ARAI Bunkichi
81A5-81AE RAD Network Devices
81B7-81B9 Xyplex
81CC-81D5 Apricot Computers
81D6-81DD Artisoft
81E6-81EF Polygon
81F0-81F2 Comsat Labs
81F3-81F5 SAIC
81F6-81F8 VG Analytical
8203-8205 Quantum Software
8221-8222 Ascom Banking Systems
823E-8240 Advanced Encryption Syste
827F-8282 Athena Programming
8263-826A Charles River Data System
829A-829B Inst Ind Info Tech
829C-82AB Taurus Controls
82AC-8693 Walker Richer & Quinn
8694-869D Idea Courier
869E-86A1 Computer Network Tech
86A3-86AC Gateway Communications
86DB SECTRA
86DE Delta Controls
86DD Internet Protocol version 6 (IPv6)
34527 86DF ATOMIC
86E0-86EF Landis & Gyr Powers
8700-8710 Motorola
34667 876B TCP/IP Compression
34668 876C IP Autonomous Systems
34669 876D Secure Data
8808 IEEE Std 802.3 – Ethernet Passive Optical Network (EPON)
880B Point-to-Point Protocol (PPP)
880C General Switch Management Protocol (GSMP)
8847 MPLS
8848 MPLS with upstream-assigned label
8861 Multicast Channel Allocation Protocol (MCAP)
34915 8863 PPP over Ethernet (PPPoE) Discovery Stage
34916 8864 PPP over Ethernet (PPPoE) Session Stage
34958 888E IEEE Std 802.1X – Port-based network access control
34984 88A8 IEEE Std 802.1Q – Service VLAN tag identifier (S-Tag)
8A96-8A97 Invisible Software
34997 88B5 IEEE Std 802 – Local Experimental Ethertype
34998 88B6 IEEE Std 802 – Local Experimental Ethertype
34999 88B7 IEEE Std 802 – OUI Extended Ethertype
35015 88C7 IEEE Std 802.11 – Pre-Authentication (802.11i)
35020 88CC IEEE Std 802.1AB – Link Layer Discovery Protocol (LLDP)
35045 8,80E+06 IEEE Std 802.1AE – Media Access Control Security
35061 88F5 IEEE Std 802.1Q – Multiple VLAN Registration Protocol (MVRP)
35062 88F6 IEEE Std 802.1Q – Multiple Multicast Registration Protocol (MMRP)
35085 890D IEEE Std 802.11 – Fast Roaming Remote Request (802.11r)
35095 8917 IEEE Std 802.21 – Media Independent Handover Protocol
35113 8929 IEEE Std 802.1Qbe – Multiple I-SID Registration Protocol
35131 893B TRILL Fine Grained Labeling (FGL)
35136 8940 IEEE Std 802.1Qbg – ECP Protocol (also used in 802.1BR)
35142 8946 TRILL RBridge Channel
35143 8947 GeoNetworking as defined in ETSI EN 302 636-4-1
36864 9000 Loopback
36865 9001 3Com(Bridge) XNS Sys Mgmt
36866 9002 3Com(Bridge) TCP-IP Sys
36867 9003 3Com(Bridge) loop detect
65280 FF00 BBN VITAL-LanBridge cache
FF00-FF0F ISC Bunker Ramo
65535 FFFF Reserved

alcatel sros cpm filter ile ip bloğuna ssh engeli

belirli bir ip bloğunu ssh erişimine kapatmak istersek bunu cpm-filter üzerinden yapabiliriz.

*A:alcatel_sros>config>sys>security# cpm-filter
*A:alcatel_sros>config>sys>security>cpm-filter# ip-filter
*A:alcatel_sros>config>sys>sec>cpm-filter>ip-filter# entry 10 create
*A:alcatel_sros>cfg>sys>sec>cpm>ip-filter>entry# action drop
*A:alcatel_sros>cfg>sys>sec>cpm>ip-filter>entry# match protocol tcp dst-port 22 65535
*A:alcatel_sros>cfg>sys>sec>cpm>ip-filter>entry# match src-ip 10.10.10.0/24	
*A:alcatel_sros>cfg>sys>sec>cpm>ip-filter>entry# exit
*A:alcatel_sros>cfg>sys>sec>cpm-filter>ip-filter# exit	

*A:alcatel_sros>config>sys>security>cpm-filter#info 
----------------------------------------------	
                    entry 10 create
                        action drop
                        match protocol tcp
                            dst-port 22 65535
                            src-ip 10.10.10.0/24
                        exit
                    exit
----------------------------------------------		

burada yapılan işlem 10 entry id ile bir filtre oluşturuldu. tcp protokolü üzerinden ssh in kullandığı 22. portu 10.10.10.0/24 bloguna kapatmak oldu. action satırında accept, drop, queue parametrelerine izin verilmektedir. match kısmının basit bir mantığı var. daha fazla detay için alcatelin sros dokümanlarına bakılmasında fayda var.

sros entry id sine göre kontrol yapılmaktadır. bu nedenle entrylerinizi sık sık güncellemek istemiyorsanız önceden bir plan oluşturmanızda fayda var.

Back To Top