Examples of common router fault handling

Router fault handling is our network administrator's daily work, so how to do this job? , you are presented with a specific example of router troubleshooting, and hopefully that will help you.




The cause of
router fault handling:




The network of a medium-sized enterprise near
the writer has failed. The main symptoms of the administrator response are: The company network speed slow, and the phenomenon of delay, log on to the server for a long time did not respond, often prompted timeout. The author's preliminary judgment is that there are abnormal data streams in the network, because the switch and router lights in the network are bright and flash.





network environment:





the company intranet in the three-tier interchange division VLAN, and finally through the router and Internet connection, the network has about 200 PCs.




Analysis of the causes of
router fault handling:





the author as a helping staff of the enterprise's network failure analysis. May be the company's network management dynamics, network deployment is not tight enough, the network may exist ARP deception. The ARP storm swallowed up network bandwidth and affected the speed of network response.





because the company has a large number of hosts, one by one manual lookup must be troublesome, so we decided to use network analysis software to find fault host. After some mirror settings, the author of the network analysis software to install the notebook, and access to the company's central exchange equipment, the mirror port of the grab bag. After 30 minutes, stop capturing and start profiling. A lot of key data, by looking at the captured packets, the author first felt that the company's network may be infected with the worm, the virus in the network infected other hosts, resulting in data storms, so that the performance of the network decreased.





I first looked at the diagnostics view and found that the TCP repeat connection attempt, shown in diagnostic view, reached 31,126 times. This is not a normal situation. In order to find more evidence to prove that the author in the "Endpoint View" by network connection sorting, found that IP for 10.8.24.11 host network connection number ranked top.





At this point the author decided to locate and analyze the host, to view the TCP connection in the session view, and found that it was all a connection initiated by the topic to port 445 of the destination host. This is just proof of the author's guess: The host may be infected with the worm, and the virus is trying to infect other hosts. Then, the author in "Summary Statistics" in the IP-10.8.24.11 host TCP packet situation, found in 30 minutes 12 seconds, the host issued a total of 29,622 TCP synchronization packets, and the end packet and reset packets are 3253 and 1387 respectively. Combined with the above analysis of the host connection, the author basically determined that the host infected with the worm virus.





Router fault handling scheme:





IP 10.8.24.11 host infected with the worm, the virus automatically through the network and other host TCP445 port to establish a connection, trying to infect other hosts, seriously wasting network resources, resulting in the overall performance of the network decline, when serious can make the network large area of infection, resulting in the network host all paralyzed 。 The author will be IP for 10.8.24.11 host and network isolation, and its virus killing, after killing back into the network.





Router Troubleshooting problems:





originally thought the problem has been resolved, who knows less than one day, the company's network management staff told the author, the company's net flow rate is not stable, although not the last time as large as a long period of stagnation, but it will be very regular in the Office time network congestion, slow speed.





Analysis again:





The author first uses the network analysis software to carry on the grasping package in the network central node, the time is 20 minutes. Through the analysis, the author found that the data of large flow from the external network through the router to a MAC address of the 00-0A-E6-98-84-B7 host. This data stream accounts for more than 80% of the incoming data from the extranet. The author found this host by looking at the Mac list of the administrator's collation. This is a file server, mainly used to achieve enterprise internal file sharing. Why would there be extranet data forwarded to this server? The author immediately checks the server. The results of the inspection made the enterprise's administrators very surprised-this file server has been configured as a proxy host!





Has this file server been hacked? It's not that simple, why would an intruder configure it as a proxy server? is not the intrusion of this server, even the router has been invaded? The author through the administrator login router, it was found that someone in the router to do a set, there are many ports forwarded to the file server.





Now the reason is clear: someone hacked the file server, and configure it as a proxy server, and then use the Administrator password to control the router, the router set up port forwarding, the external network data forwarding to the file server, and finally set up on their own host agent Internet, Using Peer-to-peer software to download large files or watch movies, play games, causing network congestion.





So, why did the intruder do that? Originally the enterprise stipulates that employees can not be linked to the Internet, network management in the router to make restrictions. There must be an employee working in the Internet in this way during work hours. So how does he control the router? The author learned that the router is using the default username, the password is the combination of English and digital, is the combination of name and telephone number. Apparently, the intruders acquired the router's password through social engineering and then controlled the router.




The final solution of
router fault handling:





Next is to find the intruder, the author uses the method or network analysis software. The author first cancels this file server file sharing function, simplifies the data capture, sets up the network monitoring software after the camping. It didn't take long for the software to get a lot of data. Through the analysis of the data, the author quickly identified a few suspicious MAC address, and based on the MAC address list to find the relevant host. Then, I restore the sharing function of the file server, cancel the agent, and reset the complex password to the router.





later, the author learned that it is true that an employee of the company broke through the file server and router after the setting, and then also told several friends through the proxy Internet.





Router Fault handling summary:





these two routers-related cases, in fact their problems are caused by human factors. Therefore, as a network administrator, we must protect the key components of the network, set strong password. In addition, we solve the network failure, if the flexibility to use network analysis software, can play a multiplier effect.





The relevant content of router fault handling example to introduce you here, I hope you understand and learn how to master the router fault handling ideas help.