网络运行监测手段 浅谈
宫一鸣
Jan 2005
http://security.zz.ha.cn yiming@Security.zz.ha.cn
5 areas
ISO network management的5 areas --> – Fault Management -- > monitor Network problem – Configuration Management -- > monitor configuration information – Performance Management -- > monitor throughput, line/cpu utilization – Accounting Management -- > monitor – Security Management -- > monitor
Yiming Gong
不断变化的Network
关注建设-- > 关注应用 带宽安全推到了前台 – 网络 而非 系统 基于Network的异常 – 终端的智能 之和> 网络 -quoted liu YC 网络是如何运行的 用户在用我的带宽做什么 带宽如何构成 TOPn user/app/port/zone 流量中的正常/异常比率 网络有问题么
如何应对网络中的DDoS, Worm Total Solution
Yiming Gong
网络运行监测手段
分类方法 – Active – PASV – Inline～outline – 我们需要
Yiming Gong
网络运行监测手段
Active – LED – Ping, traceroute, Nmap – telnet/ssh --> – Show/Debug – Expect + shell – 构造数据包 V Scanner Iperf, OWAMP,skitter,Beluga, hping
Yiming Gong
网络运行监测手段
Iperf – measure maximum TCP bandwidth, allowing the tuning of various parameters and UDP characteristics. Iperf reports bandwidth, delay jitter, datagram loss. yiming# iperf -c 192.168.1.1 -p 80 -i 2 -----------------------------------------------------------Client connecting to 192.168.1.1, TCP port 80 TCP window size: 16.0 KByte (default) -----------------------------------------------------------[ 3] local 192.168.1.2 port 3593 connected with 192.168.1.1 port 80 [ 3] 0.0- 2.0 sec 5.26 MBytes 22.1 Mbits/sec [ 3] 2.0- 4.0 sec 2.35 MBytes 9.86 Mbits/sec [ 3] 4.0- 6.0 sec 12.1 MBytes 50.7 Mbits/sec [ 3] 6.0- 8.0 sec 12.2 MBytes 51.0 Mbits/sec 调整Windows size , mss 等寻找最优的参数
Yiming Gong
网络运行监测手段
hping
a command-line oriented TCP/IP packet assembler/analyzer.
例子 – ipfilter在状态实现中,收到ack标志的tcp数据包,如果来源ip可信,则进入 TCPS_ESTABLISHED – 受ipfilter保护的系统根据tcp实现会对孤立的ack复位发送rst数据包,ipfilter看 到这个rst数据包后,会将session标记为完成状态,进入1分钟倒计时,这个session 就从状态表中丢弃 – Badchecksum, hping server -A -s 1235 -p 22 -c 1 –b – E.g2: hping -p 31335 -e PONG -2 ip.add.of.victim -c 5 -d 4 -a www.google.com

下一页