设为首页   锐捷官网
用其他帐号登录:
查看: 8056|回复: 5

[讨论] 新上的5750P交换机,为什么有大量的NFPP警告?

[复制链接]

1

主题

3

帖子

8

积分

新手上路

Rank: 1

积分
8
发表于 2016-5-6 07:50:41 | 显示全部楼层 |阅读模式
     原来的7600交换机老是重启,现在换了5750P,不重启了,但是开启了NFPP功能,结果每过30秒就有一条ARP—GUARD—DETECT之类的警告。而且出现的IP很多。这里贴上一段日志。*May  4 12:04:36: %NFPP_ARP_GUARD-4-DOS_DETECTED: Host<IP=192.168.2.98,MAC=N/A,port=Gi0/21,VLAN=31> was detected.(2016-5-4 12:4:36)
*May  4 12:05:06: %NFPP_ARP_GUARD-4-DOS_DETECTED: Host<IP=N/A,MAC=c0ee.fb05.440f,port=Gi0/21,VLAN=31> was detected.(2016-5-4 12:4:36)
*May  4 12:05:36: %NFPP_ARP_GUARD-4-SCAN: Host<IP=192.168.2.98,MAC=c0ee.fb05.440f,port=Gi0/21,VLAN=31> was detected.(2016-5-4 12:4:36)
*May  4 12:06:06: %NFPP_ARP_GUARD-4-DOS_DETECTED: Host<IP=192.168.0.77,MAC=N/A,port=Gi0/20,VLAN=11> was detected.(2016-5-4 12:5:31)
*May  4 12:06:36: %NFPP_ARP_GUARD-4-DOS_DETECTED: Host<IP=N/A,MAC=2010.7a45.ad56,port=Gi0/20,VLAN=11> was detected.(2016-5-4 12:5:31)
*May  4 12:07:06: %NFPP_ARP_GUARD-4-DOS_DETECTED: Host<IP=192.168.0.7,MAC=N/A,port=Gi0/20,VLAN=11> was detected.(2016-5-4 12:5:40)
*May  4 12:07:36: %NFPP_ARP_GUARD-4-DOS_DETECTED: Host<IP=N/A,MAC=587f.6616.9ad3,port=Gi0/20,VLAN=11> was detected.(2016-5-4 12:5:40)
*May  4 12:08:06: %NFPP_ARP_GUARD-4-SCAN: Host<IP=192.168.0.7,MAC=587f.6616.9ad3,port=Gi0/20,VLAN=11> was detected.(2016-5-4 12:5:40)
*May  4 12:09:09: %NFPP_IP_GUARD-4-DOS_DETECTED: Host<IP=192.168.2.70,MAC=N/A,port=Gi0/21,VLAN=31> was detected.(2016-5-4 12:9:9)
*May  4 12:10:51: %NFPP_IP_GUARD-4-DOS_DETECTED: Host<IP=192.168.2.70,MAC=N/A,port=Gi0/21,VLAN=31> was detected.(2016-5-4 12:10:51)
*May  4 12:17:07: %NFPP_IP_GUARD-4-DOS_DETECTED: Host<IP=192.168.2.77,MAC=N/A,port=Gi0/21,VLAN=31> was detected.(2016-5-4 12:17:7)
*May  4 12:18:30: %NFPP_IP_GUARD-4-DOS_DETECTED: Host<IP=192.168.2.70,MAC=N/A,port=Gi0/21,VLAN=31> was detected.(2016-5-4 12:18:30)
*May  4 12:19:00: %NFPP_ARP_GUARD-4-DOS_DETECTED: Host<IP=192.168.0.22,MAC=N/A,port=Gi0/20,VLAN=11> was detected.(2016-5-4 12:18:59)
*May  4 12:19:30: %NFPP_ARP_GUARD-4-DOS_DETECTED: Host<IP=N/A,MAC=84b1.53c9.e5d2,port=Gi0/20,VLAN=11> was detected.(2016-5-4 12:18:59)
*May  4 12:20:00: %NFPP_IP_GUARD-4-DOS_DETECTED: Host<IP=192.168.2.77,MAC=N/A,port=Gi0/21,VLAN=31> was detected.(2016-5-4 12:19:18)
*May  4 12:20:33: %NFPP_IP_GUARD-4-DOS_DETECTED: Host<IP=192.168.2.77,MAC=N/A,port=Gi0/21,VLAN=31> was detected.(2016-5-4 12:20:33)
*May  4 12:21:26: %NFPP_IP_GUARD-4-SCAN: Host<IP=192.168.2.77,MAC=N/A,port=Gi0/21,VLAN=31> was detected.(2016-5-4 12:21:26)
*May  4 12:21:56: %NFPP_ARP_GUARD-4-SCAN: Host<IP=192.168.2.77,MAC=6409.80ed.6adb,port=Gi0/21,VLAN=31> was detected.(2016-5-4 12:21:30)
*May  4 12:22:26: %NFPP_IP_GUARD-4-DOS_DETECTED: Host<IP=192.168.2.77,MAC=N/A,port=Gi0/21,VLAN=31> was detected.(2016-5-4 12:21:35)
*May  4 12:22:56: %NFPP_DHCP_GUARD-4-DOS_DETECTED: Host<IP=N/A,MAC=acf7.f3ec.1bd6,port=Gi0/20,VLAN=11> was detected.(2016-5-4 12:22:20)
*May  4 12:23:26: %NFPP_ARP_GUARD-4-DOS_DETECTED: Host<IP=0.0.0.0,MAC=N/A,port=Gi0/20,VLAN=11> was detected.(2016-5-4 12:22:24)
*May  4 12:23:56: %NFPP_ARP_GUARD-4-DOS_DETECTED: Host<IP=N/A,MAC=acf7.f3ec.1bd6,port=Gi0/20,VLAN=11> was detected.(2016-5-4 12:22:24)
*May  4 12:24:26: %NFPP_ARP_GUARD-4-DOS_DETECTED: Host<IP=192.168.0.8,MAC=N/A,port=Gi0/20,VLAN=11> was detected.(2016-5-4 12:22:26)
*May  4 12:24:56: %NFPP_ARP_GUARD-4-SCAN: Host<IP=N/A,MAC=acf7.f3ec.1bd6,port=Gi0/20,VLAN=11> was detected.(2016-5-4 12:22:27)
*May  4 12:25:26: %NFPP_ARP_GUARD-4-SCAN: Host<IP=0.0.0.0,MAC=acf7.f3ec.1bd6,port=Gi0/20,VLAN=11> was detected.(2016-5-4 12:23:2)
*May  4 12:25:56: %NFPP_DHCP_GUARD-4-DOS_DETECTED: Host<IP=N/A,MAC=acf7.f3ec.1bd6,port=Gi0/20,VLAN=11> was detected.(2016-5-4 12:24:13)

        可以看到, * 频繁的时候是半分钟一条。难不成都有病毒攻击?这是什么问题?把警告数量设为多大算正常?


回复

使用道具 举报

197

主题

555

帖子

2772

积分

管理员

Rank: 9Rank: 9Rank: 9

积分
2772
发表于 2016-5-6 07:52:01 来自手机 | 显示全部楼层
尽快帮您安排工程师解答
回复 支持 反对

使用道具 举报

1

主题

59

帖子

185

积分

初级会员

Rank: 2

积分
185
发表于 2016-5-6 08:04:27 来自手机 | 显示全部楼层
接口20和21下,根据日志中的IP或Mac进行排查,这是内网可能有ARP攻击导致。如果排查不方便,就拔线一个个排查
回复 支持 反对

使用道具 举报

1

主题

3

帖子

8

积分

新手上路

Rank: 1

积分
8
 楼主| 发表于 2016-5-6 08:37:57 | 显示全部楼层
huangqi 发表于 2016-5-6 08:04
接口20和21下,根据日志中的IP或Mac进行排查,这是内网可能有ARP攻击导致。如果排查不方便,就拔线一个个排 ...

但是涉及到的IP太多了,这里的日志只是一小部分。我自己电脑也在此列。是否有误报可能?有两个参数可以调节 rate-limit-pps attack-threshold-pps 。我把速率调节为5,攻击调节为10(原来分别是4,8)效果不大。不知道这个参数多大合适。
回复 支持 反对

使用道具 举报

13

主题

97

帖子

229

积分

版主

Rank: 7Rank: 7Rank: 7

积分
229
发表于 2016-5-9 13:29:14 | 显示全部楼层
您好,参数调整需要看下我们内网是否是真实的攻击,如果不是是可以调整的,但如果有真实攻击就无法判断出来了,默认值是 * 的选择,如果可以先排查终端是否有问题,如果没有问题再进行调整,这个没有几个具体的参数值
回复 支持 反对

使用道具 举报

2

主题

62

帖子

408

积分

中级会员

Rank: 3Rank: 3

积分
408
发表于 2016-5-9 17:40:02 | 显示全部楼层
你自己pc也在内,就好办了,看看是不是你的pc发的,如果不是,那就被伪造了。如果是,基本可鉴定为误报
回复 支持 反对

使用道具 举报

您需要登录后才可以回帖 登录 | 立即注册

本版积分规则