Core switch attack analysis network virus denial of attack

The core switch is currently the most commonly used networking device, and its security performance is also good. However, improper use may also cause some problems. There are blue sky and white clouds on the Internet, there is also a hidden underflow, if you do not pay attention to it, a variety of network viruses may be "not please come ". In the event of a network virus attack on a LAN, the Internet access speed is not normal. In severe cases, the entire network may crash.

To ensure that the LAN can always run stably, we must try to reject the spread of Network viruses in the LAN. No, I have encountered a failure where the LAN cannot access the Internet, after unremitting investigation, I found that it was caused by several unknown Network Viruses modifying the gateway address. Now I will contribute the detailed solution to this fault for your reference and communication!

Fault symptom

The LAN uses a general floor switch of the MyPowerS3026G model to connect all the computers on the first, second, and third floors of the building. All these floor switches are connected to the core Switches of the unit, the core switch is connected to the Internet through the tianrongxin hardware firewall. Because each vswitch supports the out-of-the-box function, the network administrator directly connects to the LAN without any configuration. In this connection status, computers on all floors in the LAN can access each other, so that colleagues in the organization often use the lan network for shared communication. At the beginning, the LAN was operating very stably. Recently, I don't know why, so all the computers in the organization cannot share the Internet through the LAN, however, they can access each other normally.

Analysis and Solution

For this fault, the author assumes that the problem must be caused by a hardware firewall or a core switch, but it has nothing to do with the Internet access settings of a common computer and network cable connectivity. However, when the author disconnects all floor switches and the server or important workstation of the Organization and only keeps a normal laptop connected to the core switch, the laptop can normally access the Internet, obviously, the core switch and hardware firewall work normally. Where exactly is the problem?

Considering that all computers in the LAN cannot access the Internet, the author estimates that there may be a network loop or a network virus like ARP. Only these factors can make the whole LAN fail to access the Internet normally in a large area. As the troubleshooting of network loop faults is relatively complicated, I plan to start from the network virus factor; I want to immediately split my work with employees of other units, the latest anti-virus software is used to scan and kill viruses on every common workstation in sequence. After a long battle, many viruses hidden in the LAN are indeed wiped out. It was originally thought that the network virus was solved, and the failure of the LAN to access the Internet should also be eliminated automatically. However, after re-connecting all computers to the LAN, it was found that the above failure still exists, is such a fault really unrelated to network viruses?

Then, I plan to check whether there is a network loop in the LAN. After careful analysis, I believe that if the subnetwork under a switch port has a network loop, the input and output traffic corresponding to the switch port should be very large. Based on this understanding, the author immediately enters the background management system of the core switch of the LAN, and uses the diagnostic function provided by the system to scan and check each switch port, from the feedback, I found that the input and output traffic of each switching port is normal, which indicates that the network loop does not exist.

In desperation, I found a faulty computer and used the ping, tracert, and other commands in the system to track and test the LAN gateway address, the result shows that the system looks for a gateway address that does not exist. Obviously, there are network viruses in the computer system. Why didn't anti-virus software scan these viruses? After searching through the Internet, I learned that there is a special network virus in the network. They specifically modify the gateway address of the LAN, causing the computer to be unable to access the Internet. In addition, this network virus can bypass anti-virus software's "encirclement and suppression ", this is why we did not find the network virus in anti-virus software. Later, after I cleared the network virus according to the solution provided on the Internet, the faulty computer was able to access the Internet normally. According to the same solution, the failure of other computers to access the Internet was solved one by one.

In-depth response

Although the above faults have been solved, the fact that the LAN cannot prevent the spread of Network Viruses in a large area reminds me and my colleagues. In order to improve the security of network operation and ensure the stability of network operation, the author decided to adjust the network mode of the LAN to isolate the exchange ports on each floor, thus rejecting the rapid spread of Network viruses in the LAN.

Because the MyPowerS3026G vswitch contains 26 Exchange ports, I plan to cascade the ports 25 and 26 of each floor switch to the core switch of the LAN, all other exchange ports are set as isolation ports, and all common computers in the Organization are connected to the isolation ports. In this way, all common computers in the LAN can only access the Internet through core switches, they cannot access each other, which ensures that the network virus cannot spread in a large area. Considering that there are some servers and important workstations in the LAN, in order to allow common users to access them, I decided to set ports 1, 2, 3, 4, 5, and 6 of the core switch as shared ports. These ports connect to the server or an important workstation, ports 25 and 26 are used as uplink ports to connect to the hardware firewall in the LAN. Other exchange ports are set as isolation ports, all used to connect to normal floor switches or computers.

Based on this idea, the author uses MB twisted pair wires to connect the uplink ports of switches on the floor on the first, second, and third floors of the building to the 7-24 ports of the core switch, connect the upstream ports of the core switch to the interfaces of the hardware firewall of the tianrongxin system, and connect important workstations and servers in the organization to ports 1, 2, 3, 4, 5, and 6 of the core switch, so that all common computers can share access, and all computers are located in the same network segment.

After completing the above physical connection, the author uses the control cable of the MyPowerS3026G switch to connect to the background management system of the core switch and enter the global configuration status of the system, in this state, run the string command "isolate-portallowedethernet0/0/1-6; 25; 26" to set ports 1, 2, 3, 4, 5, and 6 of the core switch to the shared port, use ports 25 and 26 as uplink connection ports, and then switch to the specified CIDR block. For example, run the "vlan10" string command to switch the vswitch to the vlan10 CIDR block configuration status, then run the string command "switchportinterfaceethernet0/0/1-26", configure other switch ports of the core switch as isolation ports, and then execute the "exit" and "write" commands in sequence, after saving the preceding configuration, run the "reload" command to reload the configuration. The configuration of the core switch takes effect.

Run the "isolate-portallowedethernet0/0/25; 26" string command, set the ports 25 and 26 of the floor switch to the upstream port, run the "switchportinterfaceethernet0/0/1-26" string command, and set all other ports to the isolated port, finally, load and save the preceding Switch configuration.

After the above re-connection and switching configuration operations, all common users in the LAN can only access the Interent network through the LAN, but also can access the servers or important workstations in the LAN, but cannot access other common computers, however, servers or important workstations in the LAN can access all normal computers, so that even if there is a network virus in normal computers in the future, it will not spread over a large area of the network, the security of LAN can be ensured, and network access is smoother.