10-03-2012 12:47 AM - edited 03-01-2019 02:37 PM
Hi everyone,
Could you help me how to totally block specific IP on SCE. Version 3.7.5.
)#do sh interface LineCard 0 attack-filter current-attacks
---|---------------|-----------|------------|----------|------|------|------
#|Source IP -> |Side / |Open rate / |Handled |Action|HW- |force-
| Dest IP|Protocol |Susp. rate | flows / | |filter|filter
| | | |Duration | | |
---|---------------|-----------|------------|----------|------|------|------
1|* |Subscriber | N/A| N/A|Report|Yes |No
| 217.24.176.230|UDP | N/A| 528901| | |
---|---------------|-----------|------------|----------|------|------|------
2|85.12.213.92 |Subscriber | 207| 5104|Report|No |No
| *|TCP | 207| 1800| | |
---|---------------|-----------|------------|----------|------|------|------
3|217.24.176.248 |Subscriber | N/A| N/A|Report|Yes |No
| 88.86.211.28|TCP | N/A| 1204007| | |
---|---------------|-----------|------------|----------|------|------|------
4|85.12.213.92 |Network | N/A| N/A|Block |Yes |Yes
| *|TCP:3389 | N/A| 235| | |
---|---------------|-----------|------------|----------|------|------|------
5|85.12.213.92 |Subscriber | 207| 1925|Report|No |No
| *|TCP:3389 | 207| 2040| | |
---|---------------|-----------|------------|----------|------|------|------
Total 5 attacks listed.
Ip 85.12.213.93 in blocked subscriber: blocked_1393461 with package 4993.
#sh interface LineCard 0 subscriber name blocked_1393461
Subscriber 'blocked_1393461' manager: SM
Subscriber 'blocked_1393461' properties:
downVlinkId=0
monitor=0
new_classification_policy=0
packageId=4993
upVlinkId=0
Subscriber 'blocked_1393461' read-only properties:
concurrentAttacksNumber=0
PV_internalPackage=4993
PV_REP_nonReportedSessionsInTUR=0
P_aggPeriodType=6
P_blockReportCounter=0
P_firstTimeParty=FALSE
P_internalDownVLink=0
P_internalUpVLink=0
P_MibSubCounters16[0..31][0..1]=1975,35702,0*4,4,150,0*34,718,23272,2,14,5,33,0*16
P_MibSubCounters32[0..31][0..1]=16226,42155,0*4,89,40,0*34,22063,569390,0,7,37,117,0*16
P_newParty=FALSE
p_numOfRedirections=0
P_packageCounterIndex=46
P_partyCurrentDownVLink=0
P_partyCurrentPackage=4993
P_partyCurrentUpVLink=0
P_serviceReportedBitMap=0
P_spamActivity=0
P_spamCounter=0
P_spamMessageCounter=0
Subscriber 'blocked_1393461' attributes:
Subscriber 'blocked_1393461' mappings:
IP 85.12.213.164 - Expiration (sec): Unlimited
IP 85.12.213.92 - Expiration (sec): Unlimited
IP 85.12.214.155 - Expiration (sec): Unlimited
IP 85.12.213.81 - Expiration (sec): Unlimited
IP 85.12.215.37 - Expiration (sec): Unlimited
IP 85.12.214.166 - Expiration (sec): Unlimited
IP 85.12.214.28 - Expiration (sec): Unlimited
IP 85.12.214.90 - Expiration (sec): Unlimited
IP 85.12.213.167 - Expiration (sec): Unlimited
IP 85.12.212.38 - Expiration (sec): Unlimited
IP 85.12.213.3 - Expiration (sec): Unlimited
IP 85.12.212.245 - Expiration (sec): Unlimited
IP 85.12.214.44 - Expiration (sec): Unlimited
IP 85.12.212.239 - Expiration (sec): Unlimited
IP 85.12.212.244 - Expiration (sec): Unlimited
IP 85.12.213.8 - Expiration (sec): Unlimited
IP 85.12.215.194 - Expiration (sec): Unlimited
IP 85.12.214.217 - Expiration (sec): Unlimited
IP 85.12.212.35 - Expiration (sec): Unlimited
IP 85.12.212.40 - Expiration (sec): Unlimited
IP 85.12.213.43 - Expiration (sec): Unlimited
IP 85.12.212.241 - Expiration (sec): Unlimited
IP 85.12.215.72 - Expiration (sec): Unlimited
IP 85.12.214.27 - Expiration (sec): Unlimited
IP 85.12.214.202 - Expiration (sec): Unlimited
IP 85.12.213.170 - Expiration (sec): Unlimited
IP 85.12.213.18 - Expiration (sec): Unlimited
IP 85.12.215.99 - Expiration (sec): Unlimited
IP 85.12.214.195 - Expiration (sec): Unlimited
Subscriber 'blocked_1393461' has 5 active sessions.
Aging disabled
Subscriber blocked_1393461 OS-Info:
osfingerprint feature is disable You must enable it.
All services are blocked for this subscriber but we can see that part of attack traffic is going on
M12-Gigabit# tcpdump -n -i bge1 host 85.12.213.92 and port 8000
17:20:51.425458 IP 195.95.206.17.8000 > 85.12.213.92.50171: Flags [P.], ack 1, win 1086,
options [nop,nop,TS val 387856168 ecr 293424], length 1302
17:20:51.425540 IP 195.95.206.17.8000 > 85.12.213.92.50171: Flags [P.], ack 1, win 1086,
options [nop,nop,TS val 387856168 ecr 293424], length 1302
17:20:51.427934 IP 85.12.213.92.50171 > 195.95.206.17.8000: Flags [.], ack 22132, win 32768,
options [nop,nop,TS val 293426 ecr 387856168], length 0
17:20:51.538518 IP 195.95.206.17.8000 > 85.12.213.92.50171: Flags [P.], ack 1, win 1086,
options [nop,nop,TS val 387856281 ecr 293426], length 1302
17:20:51.538776 IP 195.95.206.17.8000 > 85.12.213.92.50171: Flags [P.], ack 1, win 1086,
options [nop,nop,TS val 387856281 ecr 293426], length 1302
17:20:51.540964 IP 85.12.213.92.50171 > 195.95.206.17.8000: Flags [.], ack 24736, win 32768,
options [nop,nop,TS val 293427 ecr 387856281], length 0
17:20:51.645476 IP 195.95.206.17.8000 > 85.12.213.92.50171: Flags [P.], ack 1, win 1086,
options [nop,nop,TS val 387856388 ecr 293427], length 1301
17:20:51.645480 IP 195.95.206.17.8000 > 85.12.213.92.50171: Flags [P.], ack 1, win 1086,
options [nop,nop,TS val 387856388 ecr 293427], length 1302
17:20:51.662827 IP 85.12.213.92.50171 > 195.95.206.17.8000: Flags [.], ack 27339, win 32768,
options [nop,nop,TS val 293428 ecr 387856388], length 0
M12-Gigabit# tcpdump -n -i bge1 host 85.12.213.92 and port 3389
11:23:04.455368 IP 85.12.213.92.30723 > 208.3.253.162.3389: Flags [S], seq 2406000322, win
65535, options [mss 1460,nop,wscale 0,nop,nop,sackOK], length 0
11:23:04.455539 IP 85.12.213.92.30723 > 164.38.193.86.3389: Flags [S], seq 2406000322, win
65535, options [mss 1460,nop,wscale 0,nop,nop,sackOK], length 0
11:23:04.455700 IP 85.12.213.92.30723 > 48.134.131.203.3389: Flags [S], seq 2406000322, win
65535, options [mss 1460,nop,wscale 0,nop,nop,sackOK], length 0
11:23:04.455855 IP 85.12.213.92.30723 > 161.244.202.150.3389: Flags [S], seq 2406000322, win
65535, options [mss 1460,nop,wscale 0,nop,nop,sackOK], length 0
11:23:04.456144 IP 85.12.213.92.30723 > 46.35.109.208.3389: Flags [S], seq 2406000322, win
65535, options [mss 1460,nop,wscale 0,nop,nop,sackOK], length 0
11:23:04.456301 IP 85.12.213.92.30723 > 2.120.38.138.3389: Flags [S], seq 2406000322, win
65535, options [mss 1460,nop,wscale 0,nop,nop,sackOK], length 0
11:23:04.456464 IP 85.12.213.92.30723 > 115.230.24.60.3389: Flags [S], seq 2406000322, win
65535, options [mss 1460,nop,wscale 0,nop,nop,sackOK], length 0
11:23:04.456635 IP 85.12.213.92.30723 > 212.106.73.251.3389: Flags [S], seq 2406000322, win
65535, options [mss 1460,nop,wscale 0,nop,nop,sackOK], length 0
11:23:04.456785 IP 85.12.213.92.30723 > 70.120.27.54.3389: Flags [S], seq 2406000322, win
65535, options [mss 1460,nop,wscale 0,nop,nop,sackOK], length 0
11:23:04.511572 IP 114.129.186.116.3389 > 85.12.213.92.30723: Flags [R], seq 0, win 0,
length 0
11:23:04.595549 IP 216.104.40.190.3389 > 85.12.213.92.30723: Flags [R.], seq 0, ack
2406000323, win 0, length 0
11:23:04.617432 IP 12.87.30.122.3389 > 85.12.213.92.30723: Flags [R.], seq 0, ack
2406000323, win 0, length 0
11:23:04.617841 IP 174.81.64.148.3389 > 85.12.213.92.30723: Flags [R.], seq 0, ack
2406000323, win 0, length 0
11:23:04.642726 IP 98.67.137.41.3389 > 85.12.213.92.30723: Flags [R.], seq 0:23, ack
2406000323, win 0, length 23
11:23:04.680637 IP 218.82.145.102.3389 > 85.12.213.92.30723: Flags [R.], seq 0, ack
2406000323, win 0, length 0
11:23:04.734519 IP 85.12.213.92.30725 > 118.89.90.160.3389: Flags [S], seq 3566794134, win
65535, options [mss 1460,nop,nop,sackOK], length 0
11:23:04.735374 IP 222.78.119.204.3389 > 85.12.213.92.30723: Flags [R.], seq 0, ack
2406000323, win 0, length 0
11:23:04.761499 IP 222.58.69.226.3389 > 85.12.213.92.30723: Flags [R.], seq 0, ack
2406000323, win 0, length 0
11:23:04.790477 IP 76.81.254.12.3389 > 85.12.213.92.30723: Flags [R.], seq 0, ack
2406000323, win 0, length 0
11:23:04.953144 IP 85.12.213.92.30726 > 9.170.37.45.3389: Flags [S], seq 2672556040, win
65535, options [mss 1460,nop,nop,sackOK], length 0
11:23:04.978475 IP 186.199.229.94.3389 > 85.12.213.92.30723: Flags [R.], seq 0, ack
2406000323, win 0, length 0
11:23:04.988245 IP 61.255.117.251.3389 > 85.12.213.92.30723: Flags [R.], seq 0, ack
2406000323, win 0, length 0
M12-Gigabit# tcpdump -n -i bge1 host 85.12.213.92 and port 8000
17:20:51.425458 IP 195.95.206.17.8000 > 85.12.213.92.50171: Flags [P.], ack 1, win 1086,
options [nop,nop,TS val 387856168 ecr 293424], length 1302
17:20:51.425540 IP 195.95.206.17.8000 > 85.12.213.92.50171: Flags [P.], ack 1, win 1086,
options [nop,nop,TS val 387856168 ecr 293424], length 1302
17:20:51.427934 IP 85.12.213.92.50171 > 195.95.206.17.8000: Flags [.], ack 22132, win 32768,
options [nop,nop,TS val 293426 ecr 387856168], length 0
17:20:51.538518 IP 195.95.206.17.8000 > 85.12.213.92.50171: Flags [P.], ack 1, win 1086,
options [nop,nop,TS val 387856281 ecr 293426], length 1302
17:20:51.538776 IP 195.95.206.17.8000 > 85.12.213.92.50171: Flags [P.], ack 1, win 1086,
options [nop,nop,TS val 387856281 ecr 293426], length 1302
17:20:51.540964 IP 85.12.213.92.50171 > 195.95.206.17.8000: Flags [.], ack 24736, win 32768,
options [nop,nop,TS val 293427 ecr 387856281], length 0
17:20:51.645476 IP 195.95.206.17.8000 > 85.12.213.92.50171: Flags [P.], ack 1, win 1086,
options [nop,nop,TS val 387856388 ecr 293427], length 1301
17:20:51.645480 IP 195.95.206.17.8000 > 85.12.213.92.50171: Flags [P.], ack 1, win 1086,
options [nop,nop,TS val 387856388 ecr 293427], length 1302
17:20:51.662827 IP 85.12.213.92.50171 > 195.95.206.17.8000: Flags [.], ack 27339, win 32768,
options [nop,nop,TS val 293428 ecr 387856388], length 0
But traffic is continue going on from this IP. Also we notice that lenght is zero. Could be this root of cause?
Regards,
Konstantin.
10-19-2012 05:05 AM
i dont know if it helps but you can hardware bypass those IPs. If you want a block you can write a traffic rule to block IPs.
SCE(config if)#>traffic-rule name ignore IP-addresses subscriber-side 10.11.0.0/16 network-side all protocol all direction both traffic-counter none action ignore
Or block it defining a zone(ip or range) and block it from the pqb.
12-04-2012 06:15 AM
How about blocking a complete Class C IP using GUI?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide