Zte ZXR10 2900E Series - Solution to ARP Attacks in Campus Network

To Next Page

To Previous Page

Chapter7Maintenance

Solution

TheengineersofcompanyBchangethesharedkeyto“amtium”,andtheproblemissolved

completely.

7.3.9SolutiontoARPAttacksinCampusNetwork

Symptom

ElevenaccesslayerswitchesZXR102900EinthesameVLANinastudentdormitory

buildingcannotconnectthenetwork.40%ofusersinthisbuildingfailedtoaccessthe

Internet.

FaultAnalysis

Aftercheckingthenetworkmanagementsystem,maintenanceengineersfoundthatthe

elevenswitchesweredisconnectedandfailedtobepinged.Themaintenanceengineers

arrivedattheweakelectricitywellinwhichfourswitcheswereinstalled,accessedthe

switchwhoseIPaddresswas172.168.0.123throughHyperT erminal,andfounditsCPU

usagereached93%–100%.Themaintenanceengineerscheckedthealarminformation

andcongurationinformation,butnoexceptionwasfound.Themaintenanceengineers

thenaccessedtheconvergencelayerswitchT40Gandfoundanalarm“port4receives

toomanyARPbroadcastpackets”.Aftercheckingthetrafconthisport,themaintenance

engineersfoundthatabout100,000broadcastpacketswereaddedeverytenseconds.

AfteranalyzingtheZXR102900Econnectedtotheport,themaintenanceengineersfound

thefollowingconditions:

1.Therewasaloopontheuserside.

2.Auser’scomputerwasinfectedbyavirusandsentbroadcastpacketscontinuously.

3.Auser’scomputerwasinstalledwiththeARPattacksoftwareandsentARPattack

packetscontinuously.

TheIPaddressoftheZXR102900Econnectedtotheportwas172.168.0.111.The

maintenanceengineersconnectedtheswitchthroughanetworkcableandcaptured

packets.Afteranalyzingthepackets,themaintenanceengineersfoundthatacomputer

withtheMACaddress“00:19:e0:a9:5a:fc”sentARPbroadcastpacketscontinuously.

Basedonthelabelonthenetworkcable,thecomputerwasinroom2606.Afterthe

maintenanceengineersremoveditsnetworkcable,theelevenswitchesrecoverednormal

andCPUutilizationwasnomorethan5%.

Solution

1.FilterouttheMACaddressofthecomputerontheaccesslayerswitchandprohibitit

fromaccessingtheInternet.

2.Notifythecentralequipmentroomoftheschooltoprohibitthecomputerfrom

accessingtheInternetbeforeitsharddiskisformattedandthesystemisreinstalled.

3.InstallanARPviruskilltoolonallcomputers.

7-9

SJ-20130731155059-002|2013-11-27(R1.0)ZTEProprietaryandCondential

Other manuals for Zte ZXR10 2900E Series