VDSL users of MA5300 attached to MA5200F get offline abnormally due to attack on

Latest reply: Mar 31, 2016 06:22:51 1657 1 0 0

At a site, partial VDSL users of MA5300 attached to MA5200F (with release of 7127SP08) get offline abnormally.  


  • x
  • convention:

Created Mar 31, 2016 06:22:51 Helpful(0) Helpful(0)

Alarm Information
  By checkup, it is found that MA5200F records that users get offline because of PPP Echo Fail, with the specific records as:

User name : a02259816431@pppoe
  User MAC : 000a-ebd3-db4d
  User access type : ppp
  User access slot : 0
  User port type : Ethernet
  User access port : 3
  User access Vlan : 365
  User IP address : 221.238.4.11
  User ID : 137
  User authen state : Authened
  User acct state : AcctIdle
  User author state : AuthorIdle
  User acct sessionID: TianDaK050621082622e12af16400137
  User login time : 2005/06/21 17:26:22
  User offline time : 2005/06/21 17:30:5
  User offline reason: PPP echo fail



Handling Process

Change the running mode of MA5200F to Simple model and reset the system; after observation for a while, failure does not occur again. 

Root Cause

  The record should be PPP user request if the user gets offline normally;


For PPP users, BAS equipments need to work together with PPP client to manage the online information of users via PPP Echo packets. When MA5200F keeps a user online, it will send PPP Echo packet every 20 seconds by default, and it will repeat three times if no response is received from client. Users get offline because of PPP Echo Fail, resulting from the following facts:


1. PPP client crashes or Modem is powered down, so PPP client is incapable to respond to PPP Echo packets;
2. VDSL ports are re-synchronized;
3. Networking of layer2 network attached to port of MA5200F is not reasonable, and multiple users share the same VLAN in which there are too many packets, resulting in that PPP Echo packets sent by MA5200F cannot have response within 60 seconds; the MA5300 at the site specifies a VLAN for a user;
4. If MA5200F system is attacked, and occupation rate of CPU is too high, it will result in scarcity in resources to maintain PPP Echo packets of users attached. From the log of system, the MA5200F receives abundant abnormal packets from the 6th port (attached with the port of the failed site), with the following alarm information:
# [06/20/2005 23:12:06-] AAA-5-02042003:
Host packet singular IP:221.238.4.14 MAC:0008-0d9e-a715 Portvlan:FE6-514
# [06/20/2005 23:04:39-] AAA-5-02042003:
Host packet singular IP:221.238.4.45 MAC:0000-f082-ed49 Portvlan:FE6-342
# [06/20/2005 23:02:12-] AAA-5-02042003:
Host packet singular IP:221.238.4.14 MAC:0008-0d9e-a715 Portvlan:FE6-514
# [06/20/2005 22:52:18-] AAA-5-02042003:
Host packet singular IP:221.238.4.14 MAC:0008-0d9e-a715 Portvlan:FE6-514
# [06/20/2005 22:42:24-] AAA-5-02042003:
Host packet singular IP:221.238.4.14 MAC:0008-0d9e-a715 Portvlan:FE6-514
# [06/20/2005 22:22:50-] AAA-5-02042003:
Host packet singular IP:221.238.4.140 MAC:0005-5d86-7f58 Portvlan:FE6-180
# [06/20/2005 22:22:35-] AAA-5-02042003:
Host packet singular IP:221.238.4.14 MAC:0008-0d9e-a715 Portvlan:FE6-514

Generally, if MA5200F runs in normal model, once it is attacked by virus from attached users, the occupation rate of CPU will reach 80%-90%, resulting in that VDSL users accessed to MA5300 get offline.
Solution
Suggestions

1. In case NAT etc services are not used, it is suggested to change the running mode of MA5200F to Simple model so as to decrease the  occupation rate of CPU; the method is to execute bootload simple-version command in system view, and the system could run in Simple mode as soon as the system is reset after configuration;

2. After changing the system mode to Simple, it is suggested to configure virus-proof ACL at MA5200F to lessen the impact from virus on system, with the detailed configurations as follows:

acl number 3000 match-order auto
   rule 0 deny tcp destination-port eq 445
   rule 24 deny tcp destination-port eq 5800
   rule 28 deny tcp destination-port eq 5900
   rule 32 deny tcp destination-port eq 1000
   rule 36 deny tcp destination-port eq 9995
   rule 40 deny tcp destination-port eq 9996
   rule 44 deny tcp destination-port eq 5554
   rule 48 deny tcp destination-port eq 1068
   rule 52 deny udp destination-port eq netbios-ns
   rule 56 deny udp destination-port eq netbios-dgm
   rule 60 deny udp destination-port eq netbios-ssn
   rule 64 deny tcp destination-port eq 539
   rule 68 deny udp destination-port eq 445
   rule 72 deny udp destination-port eq tftp
   rule 76 deny tcp destination-port eq 4444
   rule 80 deny udp destination-port eq 6667
   rule 84 deny tcp destination-port eq 1025
   rule 88 deny tcp destination-port eq 1418
   rule 8 deny tcp destination-port eq 136
   rule 12 deny tcp destination-port eq 137
   rule 16 deny tcp destination-port eq 138
   rule 25 net-user deny tcp source-port eq 5800
   rule 29 net-user deny tcp source-port eq 5900
   rule 1 net-user deny tcp destination-port eq 445
   rule 33 net-user deny tcp destination-port eq 1000
   rule 37 net-user deny tcp destination-port eq 9995
   rule 41 net-user deny tcp destination-port eq 9996
   rule 45 net-user deny tcp destination-port eq 5554
   rule 49 net-user deny tcp destination-port eq 1068
   rule 53 net-user deny udp destination-port eq netbios-ns
   rule 57 net-user deny udp destination-port eq netbios-dgm
   rule 61 net-user deny udp destination-port eq netbios-ssn
   rule 65 net-user deny tcp destination-port eq 539
   rule 69 net-user deny udp destination-port eq 445
   rule 73 net-user deny udp destination-port eq tftp
   rule 77 net-user deny tcp destination-port eq 4444
   rule 81 net-user deny udp destination-port eq 6667
   rule 85 net-user deny tcp destination-port eq 1025
   rule 89 net-user deny tcp destination-port eq 1418
   rule 9 net-user deny tcp destination-port eq 136
   rule 13 net-user deny tcp destination-port eq 137
   rule 17 net-user deny tcp destination-port eq 138
   rule 2 user-net deny tcp destination-port eq 445
   rule 26 user-net deny tcp destination-port eq 5800
   rule 30 user-net deny tcp destination-port eq 5900
   rule 34 user-net deny tcp destination-port eq 1000
   rule 38 user-net deny tcp destination-port eq 9995
   rule 42 user-net deny tcp destination-port eq 9996
   rule 46 user-net deny tcp destination-port eq 5554
   rule 50 user-net deny tcp destination-port eq 1068
   rule 54 user-net deny udp destination-port eq netbios-ns
   rule 58 user-net deny udp destination-port eq netbios-dgm
   rule 62 user-net deny udp destination-port eq netbios-ssn
   rule 66 user-net deny tcp destination-port eq 539
   rule 70 user-net deny udp destination-port eq 445
   rule 74 user-net deny udp destination-port eq tftp
   rule 78 user-net deny tcp destination-port eq 4444
   rule 82 user-net deny udp destination-port eq 6667
   rule 86 user-net deny tcp destination-port eq 1025
   rule 90 user-net deny tcp destination-port eq 1418
   rule 10 user-net deny tcp destination-port eq 136
   rule 14 user-net deny tcp destination-port eq 137
   rule 18 user-net deny tcp destination-port eq 138
   rule 3 user-user deny tcp destination-port eq 445
   rule 27 user-user deny tcp destination-port eq 5800 
   rule 31 user-user deny tcp destination-port eq 5900
   rule 35 user-user deny tcp destination-port eq 1000
   rule 39 user-user deny tcp destination-port eq 9995
   rule 43 user-user deny tcp destination-port eq 9996
   rule 47 user-user deny tcp destination-port eq 5554
   rule 51 user-user deny tcp destination-port eq 1068
   rule 55 user-user deny udp destination-port eq netbios-ns
   rule 59 user-user deny udp destination-port eq netbios-dgm
   rule 63 user-user deny udp destination-port eq netbios-ssn
   rule 67 user-user deny tcp destination-port eq 539
   rule 71 user-user deny udp destination-port eq 445
   rule 75 user-user deny udp destination-port eq tftp
   rule 79 user-user deny tcp destination-port eq 4444
   rule 83 user-user deny udp destination-port eq 6667
   rule 87 user-user deny tcp destination-port eq 1025
   rule 91 user-user deny tcp destination-port eq 1418
   rule 15 user-user deny tcp destination-port eq 137
   rule 19 user-user deny tcp destination-port eq 138
   rule 11 user-user deny tcp destination-port eq 136
Apply the rules globally, with the command as : [MA5200F]access-group 3000

  • x
  • convention:

Reply

Reply
You need to log in to reply to the post Login | Register

Notice: To protect the legitimate rights and interests of you, the community, and third parties, do not release content that may bring legal risks to all parties, including but are not limited to the following:
  • Politically sensitive content
  • Content concerning pornography, gambling, and drug abuse
  • Content that may disclose or infringe upon others ' commercial secrets, intellectual properties, including trade marks, copyrights, and patents, and personal privacy
Do not share your account and password with others. All operations performed using your account will be regarded as your own actions and all consequences arising therefrom will be borne by you. For details, see " Privacy."
If the attachment button is not available, update the Adobe Flash Player to the latest version!

Login and enjoy all the member benefits

Login
Fast reply Scroll to top