发现局域网肉机或者p2p连接 --安恒网管员手记
2005-01-30    刘世伟   
打印自: 安恒公司
地址: HTTP://hdtdx.anheng.com.cn/news/article.php?articleid=605
发现局域网肉机或者p2p连接 --安恒网管员手记


[安恒原创]
转载请注明出处  http://www.anheng.com.cn/news/15/605.html

 

被黑客控制,作为攻击机器的肉机,以及员工们自己装的p2p软件,像eMule,BT,有个共同的特点就是消耗大量的带宽,影响公司正常的网络访问,如果公司的计算机多到网络一定的数量,要定位这种带宽使用大户,一般的手段,比较麻烦.

安恒公司是这样做的,
在公司的网关,设置了conn_limit ,让每台机器只有15个连接。如果连接数量超过了限制,机器就会被暂时禁止访问外网.被禁止的人就会知道是自己的机器出现状况,因为,只有自己不能访问外网,问题出在自己.大部分的情况下,他就会自行解决,不会反映到网络部.

下面是一个实例:
有同事反映不能上网,在网关进行tcpdump,发现网关给客户机发回[不可到达]icmp控制信息, 当然限制就发生在网关,
anheng:~# tcpdump -n host 192.168.0.25
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
15:48:13.258203 IP 192.168.0.25.1112 > 202.101.42.11.139: S 216008989:216008989(0) win 65535 <mss 1460,nop,nop,sackOK>
15:48:13.258270 IP 192.168.0.111 > 192.168.0.25: icmp 56: 202.101.42.11 tcp port 139 unreachable
15:48:16.262864 IP 192.168.0.25.1112 > 202.101.42.11.139: S 216008989:216008989(0) win 65535 <mss 1460,nop,nop,sackOK>
15:48:16.262942 IP 192.168.0.1 > 192.168.1.25: icmp 56: 202.101.42.11 tcp port 139 unreachable

查看已存在的连接:
dianserv:~# cat /proc/net/ip_conntrack  |grep 192.168.0.25
tcp      6 411419 ESTABLISHED src=192.168.0.25 dst=221.196.118.162 sport=1838 dport=11049 src=221.196.118.162 dst=220.202.10.102 sport=11049 dport=1838 [ASSURED] use=1
tcp      6 414788 ESTABLISHED src=192.168.0.25 dst=218.91.32.244 sport=1951 dport=16881 src=218.91.32.244 dst=220.202.10.102 sport=16881 dport=1951 [ASSURED] use=1
udp      17 175 src=192.168.0.25 dst=210.22.70.3 sport=1037 dport=53 src=210.22.70.3 dst=220.202.10.102 sport=53 dport=1037 [ASSURED] use=1
tcp      6 414764 ESTABLISHED src=192.168.0.25 dst=222.241.78.212 sport=2242 dport=24965 src=222.241.78.212 dst=220.202.10.102 sport=24965 dport=2242 [ASSURED] use=1
tcp      6 412382 ESTABLISHED src=192.168.0.25 dst=61.185.35.133 sport=1955 dport=10901 src=61.185.35.133 dst=220.202.10.102 sport=10901 dport=1955 [ASSURED] use=1
tcp      6 414757 ESTABLISHED src=192.168.0.25 dst=218.88.169.103 sport=1839 dport=15340 src=218.88.169.103 dst=220.202.10.102 sport=15340 dport=1839 [ASSURED] use=1
tcp      6 427233 ESTABLISHED src=192.168.0.25 dst=218.84.176.152 sport=1127 dport=13903 src=218.84.176.152 dst=220.202.10.102 sport=13903 dport=1127 [ASSURED] use=1
tcp      6 414784 ESTABLISHED src=192.168.0.25 dst=80.117.23.51 sport=2279 dport=21283 src=80.117.23.51 dst=220.202.10.102 sport=21283 dport=2279 [ASSURED] use=1
tcp      6 414764 ESTABLISHED src=192.168.0.25 dst=222.36.6.247 sport=1875 dport=16881 src=222.36.6.247 dst=220.202.10.102 sport=16881 dport=1875 [ASSURED] use=1
tcp      6 431993 ESTABLISHED src=192.168.0.25 dst=192.168.1.111 sport=1142 dport=80 src=192.168.1.111 dst=192.168.0.25 sport=80 dport=1142 [ASSURED] use=1
tcp      6 413283 ESTABLISHED src=192.168.0.25 dst=61.185.35.133 sport=2050 dport=10901 src=61.185.35.133 dst=220.202.10.102 sport=10901 dport=2050 [ASSURED] use=1
tcp      6 325787 ESTABLISHED src=192.168.0.25 dst=63.251.135.76 sport=1387 dport=80 src=63.251.135.76 dst=220.202.10.102sport=80 dport=1387 [ASSURED] use=1
tcp      6 414494 ESTABLISHED src=192.168.0.25 dst=61.185.35.133 sport=2318 dport=10901 src=61.185.35.133 dst=220.202.10.102 sport=10901 dport=2318 [ASSURED] use=1
tcp      6 415184 ESTABLISHED src=192.168.0.25 dst=211.83.102.16 sport=2339 dport=1884 src=211.83.102.16 dst=220.202.10.102 sport=1884 dport=2339 [ASSURED] use=1
tcp      6 414790 ESTABLISHED src=192.168.0.25 dst=218.84.176.152 sport=1876 dport=13903 src=218.84.176.152 dst=220.202.10.102 sport=13903 dport=1876 [ASSURED] use=1
tcp      6 413079 ESTABLISHED src=192.168.0.25 dst=61.185.35.133 sport=2020 dport=10901 src=61.185.35.133 dst=220.202.10.102 sport=10901 dport=2020 [ASSURED] use=1

恰好15个连接,也就是说192.168.0.25被conn_limit限制了,多于15个的连接,被拒绝.

责任编辑: admin