Be good at managing vswitches and "hack" out of Network Viruses

Bkjia.com exclusive Article] in order to improve network management efficiency, LAN networks with a relatively large scale now use a three-layer switch technology for networking, which not only improves network packet forwarding efficiency, we can also make full use of its powerful management functions to improve network management efficiency. This is not the case. LAN networks are prone to ARP attacks. Once this type of virus attacks occur, how can we quickly "hack" the ARP virus? I believe that most network administrators will seek help from professional network management tools to solve such problems. In fact, we do not need to go far and far away. We can use the powerful management functions of layer-3 switches to quickly "hack" ARP viruses using manual methods. below, this article takes the S8500 series route switch of the common H3C brand as the operating blueprint, and restores the detailed process of the Manual "ARP virus" to all friends.

Network running status

A building contains more than 50 units. These units are distributed in 18 floors of the building. If each floor is less than one unit, more than three or four units are distributed at the same time, all units have their own virtual working subnets. They can only access the Internet through the S8500 Core routing switch of the H3C brand in the LAN of the building. Each virtual working subnet cannot access each other, in this way, it can effectively suppress network storms and the spread of viruses in a large area, which is conducive to maintaining the operational stability of the building network. The network structure of the entire building is also clear, and all units of computers are connected to the L2 switches on the corresponding floor through the M network twisted pair cable, all L2 switches are connected to the core switches in the LAN through a m optical fiber cable.

In normal times, the building network administrator can regularly monitor the traffic status of each optical fiber switch port by using the scanning and diagnosis functions provided by the core switch system, once the port incoming packet traffic and output packet traffic exceed 1000 Mb/s at the same time, the network administrator may think that the virtual working subnet connected to the optical fiber port may not work properly, to prevent this abnormal phenomenon from endangering the network running status of the entire building, the network administrator will immediately use the "shutdown" Command provided by the switch system to temporarily disable the optical fiber switch port with abnormal traffic, then, based on the files created during the networking, find the layer-2 switch with abnormal traffic, and then scan common Ethernet switch ports in the same way, in the end, we can find the Fault Cause that causes traffic exceptions.

Suspected virus attack

However, the recent network faults have made the building network administrator very depressed because the same method is used to troubleshoot the network faults, which means the specific causes of the faults cannot be found. It turned out that when I first went to work yesterday morning, an online user from the sixth floor called to report a network fault. The network administrator asked him when he was unable to access the Internet. He replied that the fault had just occurred; network administrators have become accustomed to such fault reporting and repair situations. In many cases, it is caused by the client system itself. For example, if the network cable is not in good contact, the IP address is suddenly occupied, or an exception occurs in the client operating system, or a network virus attack! However, when the network administrator is about to tell Internet users about these possible factors for troubleshooting one by one, several fault repair calls are continuously called, and they all say that their computers suddenly cannot access the Internet, in addition, I consulted other Internet users on the fourth floor. These users' computers experienced the same fault.

These successive fault hotlines make the network administrator subconsciously think that the network on the fourth floor is inaccessible, and it is definitely irrelevant to the client system itself. According to the regular analysis, it is very likely that there is an accident in the status of the Second-layer switch on the fourth floor. Therefore, the network administrator immediately logs on to the background management system of the core switch in the LAN of the building, and runs the "dis dia" string command under the global configuration of the system, to check whether the working status of each optical fiber switch port is abnormal. However, after a period of scanning and diagnosis, the Network Administrator does not find the working status of the switch port abnormal, that is, the optical fiber switch ports connected to switches on each floor are in the "up" status 1). Why can't all users access the Internet on the fourth floor?

Figure 1

Although the cascade ports of the vswitch on the fourth floor work normally, all the virtual working subnets in the vswitch cannot access the Internet normally. What does this mean? The Network Administrator thought it was possible that the vswitch's virtual memory had an error, causing the switch to return false status information. Moreover, the switch has been working for a long time, it is very prone to virtual cache overflow errors. For vswitch virtual cache overflow failures, we often have to restart the switch system to restore the virtual cache to normal. However, when the network administrator goes to the vswitch on the fourth floor, disconnects the power supply, connects the power again later, and restarts the switching system, it is found that all users on the fourth floor still cannot access the Internet normally, obviously, this phenomenon has nothing to do with the vswitch's virtual cache. Is there a problem with each switch port of the vswitch on the fourth floor? Although this is possible theoretically, the Network Administrator logs on to the background System of the target switch using a random distribution control cable. Under the global configuration of the system, when you run the "dis inter e0/x" command to check the working status of each switch port in sequence, they are found to work normally, neither seeing any exceptions in the traffic of the switch port, no port is displayed in the "down" status. Obviously, all users on the fourth floor are not connected to the vswitch.

After excluding the above factors, the network administrator re-analyzes the fault and believes that there is another possibility that a certain floor cannot access the Internet collectively, that is, a virtual working subnet on the fourth floor may be infected with the network virus, especially the ARP virus, all the users in the corresponding virtual working subnet used to access the Internet directly through the LAN gateway, and now all are forwarded to the Internet through hosts infected with the ARP virus, in this way, it is natural that a large area cannot access the Internet.

Manual virus removal

The fault is similar to the ARP virus attack. The Network Administrator estimates that a computer under the vswitch on the fourth floor is infected with the ARP virus, as a result, all users in the same virtual working subnet as the virus computer cannot access the Internet at the same time, but many computers are connected under the vswitch on the fourth floor, which computer is infected with the network virus? If we use the conventional method to scan and kill all computers on the fourth floor, the workload will be huge, and we will follow this method, the Troubleshooting efficiency is too low!

After reading the S8500 series route switch operation manual, the network administrator found that the "dis dia" command of the device was used, you can scan the virtual working subnet in which the computer ip address conflicts with the LAN gateway address, and scan the physical IP address of the computer NIC that conflicts with the source IP address. According to this discovery, the network administrator believes that since the S8500 series of Route switches can automatically scan and identify the computer Nic addresses that conflict with the gateway addresses, when there is an ARP network virus in the LAN, we only need to scan the entire switch port to find the physical address of the computer Nic infected with the ARP virus and find the physical address of the computer Nic infected with the virus, then, we can find out which computer is infected with the network virus by combining the archives created during the networking.

To achieve this, the network administrator immediately uses the Super Terminal Program to remotely log on to the background management system of the core switch in the LAN of the building with the Super User permission, and runs the string commands "language-mode chinese" and "system" in sequence ", switch the background system to the Chinese system configuration mode, enter the "dis dia" Function Command, and click the Enter key. The system prompts "this operation may take several minutes, continue? [Y/N] y ". Before entering y, you must also click the" transfer "/" Capture text "command in the Super Terminal window, and then set a text file to save the scan results, then, click the "y" button, and the core switch background system will automatically save the scanning results of each switching port to the pre-configured text file.

After scanning, the Network Administrator opened the text file that saved the scan results. After careful searching, he finally found a file similar to "% 2009/11/12 09:46:14 YCXZ_W_P8512 ARP/4/DUPIFIP: Slot = 2; it is detected that the IP address 10.176.9.1 is in conflict with the VLAN10 interface address, and the MAC address of the conflicted device is 0016-9612-a22f, as shown in tip 2). the prompt information clearly tells us, A computer from VLAN10 is infected with the ARP virus. The physical address of the computer's network adapter is 0016-9612-a22f. It is the computer that is infected with the network virus that makes all the computers in VLAN10 unable to access the Internet normally.

Figure 2

Locate the virus location

After confirming that all users on the fourth floor are unable to access the Internet, the ARP virus is the cause. The next step for the network administrator is to find the specific virus computer and isolate it from the network, internet users are also required to promptly clear viruses. In order to locate the virus location, the network administrator first checked the file information during the networking and found out which switches VLAN10 was configured in. The result showed that VLAN10 was located on the floor switch with the IP address 10.176.0.113;

After finding the faulty switch, the network administrator immediately telnet to the switch background system to enter the global configuration mode of the system. In this status, enter the string command "dis mac" and click the Enter key, the physical addresses of network adapters connected to all online computers on the vswitch are displayed. After careful comparison, the network administrator finds that the virus computer with the MAC address of 0016-9612-a22f is located on the 9th Ethernet ports of the target vswitch;

To remove the impact of this port on the Internet access status of the entire virtual working subnet, the network administrator first runs the "inter e0/9" command to enter the view mode of the 9th Ethernet ports, execute the "shutdown" command to temporarily disable the working status of the port, as shown in 3). After closing the connection port of the computer with viruses, the network administrator tests the network on the fourth floor and finds that all computers are connected to the Internet. This proves that the previous large-scale failure is caused by virus computers with MAC address 0016-9612-a22f;

Figure 3

Go back to the faulty switch and check the labels on the 9th Ethernet ports. The Network Administrator found that the port was connected to room 406, and the computer in room 406 was obviously infected with a network virus, immediately call the online user in the room to notify him that the ARP virus must be scanned as soon as possible. When the online user clears the network virus, the network administrator opens the switch port again, then, we performed a port scan on the core switch again. This time we didn't see a prompt of address conflict. Obviously, the computer network virus in room 406 has been cleared, the Internet access status of the entire building has also recovered.

Bkjia.com exclusive, not reprinted without authorization. For reprinted sites, please indicate the author and source of the original article is bkjia.com, and the content of the original article cannot be modified .]