One day, the firewall's performance monitoring suddenly experienced a problem, ranging from to every day ~ The number of connections that change between and. Today, the number of connections continues to change around. Due to exceptions, I immediately opened the "connection information" in "Real-time Monitoring" of the firewall and found a port with a large number of abnormal data packets, which are characterized: all the destination IP addresses are the same (202.101.180.36), but the source IP addresses are constantly changing, and the IP address changes have obvious regularity, and are not the internal IP addresses of our Organization.
From experience, we can see that the source IP address is automatically generated by a program. Now we need to find out which computer is connected to the network, and send data packets with a forged IP address.
Find on vswitch
Because the IP address of our Organization is bound to the MAC address and port, the computer that sends data must be a legal user, one scenario is that users are using hacking tools to attack others and constantly change IP addresses to hide their real IP addresses. Another scenario is that your computer is infected with a virus. The virus automatically sends a large number of data packets and automatically changes the source IP address. It is imperative to quickly find out the real IP address of the computer that sends a large number of data packets.
Considering the location and function of the firewall, after communicating with the firewall technical personnel, the real IP address of the machine cannot be found on the firewall, so you can find the IP address on the layer-3 Switch Cisco 6509. I checked the information and made the following configuration in Cisco 6509:
Access-list 101 permit ip any host 202.101.180.36 log-input
Access-list 101 permit ip any
202.101.180.36 is the destination address mentioned above. log-input indicates "Log matches against this entry, including input interface", that is, the data that matches this list, including the output port for logs.
Enter the "sh log" command and the result is as follows.
Syslog logging: enabled (0 messages dropped,
8 messages rate-limited, 0 flushes, 0 overruns)
Console logging: level debugging, 20239 messages logged
Monitor logging: level debugging, 0 messages logged Buffer logging: level debugging,
20245 messages logged Exception Logging: size (4096 bytes)
Trap logging: level informational,
20269 message lines logged Log Buffer (8192 bytes ):
01.180.36 (0), 1 packet
16w6d: % SEC-6-IPACCESSLOGP: list 101 permitted tcp 245.206.1.197 (0)
(Vlan101 5254. ab21.e77a)-> 202.101.180.36 (0), 1 packet
16w6d: % SEC-6-IPACCESSLOGP: list 101 permitted tcp 245.206.1.198 (0)
(Vlan101 5254. ab21.e77a)-> 202.101.180.36 (0), 1 packet
16w6d: % SEC-6-IPACCESSLOGP: list 101 permitted tcp 245.206.1.199 (0)
(Vlan101 5254. ab21.e77a)-> 202.101.180.36 (0), 1 packet
16w6d: % SEC-6-IPACCESSLOGP: list 101 permitted tcp 245.206.1.200 (0)
(Vlan101 5254. ab21.e77a)-> 202.101.180.36 (0), 1 packet
Disable computer ports
From the above output, we can clearly observe that the VLAN and MAC address of the computer with a false IP address are generated, use our network management software to immediately find the real IP address, user name, department, and port number of the MAC address. Log on to the second-layer switch where your computer is located, turn off the port used by this computer, and the number of connections monitored on the firewall will immediately return to normal.
After contacting the user, it is determined that the user's computer is infected with the trojan virus.
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
