96 lines
2.7 KiB
Markdown
96 lines
2.7 KiB
Markdown
|
# P19现场:Deny动作未发送TCP Reset
|
|||
|
|
|
|||
|
|
| ID | Creation Date | Assignee | Status |
|
|||
|
|
|----|----------------|----------|--------|
|
|||
|
|
| OMPUB-966 | 2023-07-16T17:49:42.000+0800 | 杨威 | 开放 |
|
|||
|
|
|
|||
|
|
|
|||
|
|
---
|
|||
|
|
|
|||
|
|
单向流? [~yangyubo] 贴日志上来**yangyubo** commented on *2023-07-17T12:15:52.136+0800*:
|
|||
|
|
|
|||
|
|
以MSH站点 10.10.20.161为例
|
|||
|
|
!企业微信截图_16895671747484.png|thumbnail!
|
|||
|
|
sapp 日志信息:
|
|||
|
|
!image-2023-07-17-09-38-46-315.png|thumbnail!
|
|||
|
|
|
|||
|
|
|
|||
|
|
|
|||
|
|
---
|
|||
|
|
|
|||
|
|
**yangyubo** commented on *2023-07-17T12:53:47.323+0800*:
|
|||
|
|
|
|||
|
|
以tsg_master错误日志中出现的ip 111.88.41.21为过滤条件查询安全日志
|
|||
|
|
|
|||
|
|
!screenshot-1.png|thumbnail!
|
|||
|
|
发现几乎98%均为单向流
|
|||
|
|
|
|||
|
|
以 37.111.167.173为例:
|
|||
|
|
!image-2023-07-17-09-56-53-218.png|thumbnail!
|
|||
|
|
发现几乎95%均为单向流
|
|||
|
|
|
|||
|
|
|
|||
|
|
|
|||
|
|
---
|
|||
|
|
|
|||
|
|
**yangwei** commented on *2023-07-17T13:39:27.938+0800*:
|
|||
|
|
|
|||
|
|
根据现场sapp的错误日志,构造数据包失败的位置在组装GRE层
|
|||
|
|
|
|||
|
|
由于GRE上下行的callid不同,当命中策略的会话为单向流时,构造反方向(如当前会话方向为C2S,则S2C为反方向)数据包(如RST)时缺乏callid信息,会出现构造失败的错误日志
|
|||
|
|
|
|||
|
|
|
|||
|
|
|
|||
|
|
---
|
|||
|
|
|
|||
|
|
**yangwei** commented on *2023-07-17T14:43:05.669+0800*:
|
|||
|
|
|
|||
|
|
进一步地,目前现场的运行参数,需要严格按照原始包构造各层信息,因此对于单向流,即使不是GRE封装,构造MAC地址、链路信息(marsio发包所需要的ROUTE_CTX、sidlist等)时也会报错,但是为避免错误日志量爆炸,大部分的该类因为缺乏信息构造失败的日志级别为info,总体的计数可以通过metrics中的Snd_Err_Pkt,或者sysinfo.log中的SEND-ERR获得
|
|||
|
|
|
|||
|
|
|
|||
|
|
|
|||
|
|
对于无法有效构造rst的会话,对应的deny行为会由tcp reset退化为drop,原则上不影响deny结果
|
|||
|
|
|
|||
|
|
|
|||
|
|
|
|||
|
|
---
|
|||
|
|
|
|||
|
|
**yangwei** commented on *2024-09-26T10:35:58.779+0800*:
|
|||
|
|
|
|||
|
|
单向流接入下,双向发送会话干扰包的解决思路
|
|||
|
|
* 前提1:存在额外注包链路
|
|||
|
|
** 接入拓扑中包含三层注包链路,例如镜像接入时的注包路由,或者inline接入时额外提供注入路由
|
|||
|
|
* 对应方案:Firewall支持按三层信息构造干扰包,并从指定链路注出
|
|||
|
|
** 例如镜像/inline模式下,支持TCP RST通过管理口注出
|
|||
|
|
|
|||
|
|
|
|||
|
|
* 前提2:无额外注包链路
|
|||
|
|
* 对应方案:通过SwarmKV在集群内同步单向流会话命中的策略ID
|
|||
|
|
** C2S侧命中策略后,发送C2S侧的干扰包,并将策略ID同步至SwarmKV
|
|||
|
|
** S2C侧同步到命中的策略ID,发送S2C侧干扰包
|
|||
|
|
|
|||
|
|
|
|||
|
|
|
|||
|
|
---
|
|||
|
|
|
|||
|
|
|
|||
|
|
|
|||
|
|
## Attachments
|
|||
|
|
|
|||
|
|
**41375/image-2023-07-17-09-38-46-315.png**
|
|||
|
|
|
|||
|
|
---
|
|||
|
|
|
|||
|
|
**41380/image-2023-07-17-09-56-53-218.png**
|
|||
|
|
|
|||
|
|
---
|
|||
|
|
|
|||
|
|
**41379/screenshot-1.png**
|
|||
|
|
|
|||
|
|
---
|
|||
|
|
|
|||
|
|
**41374/企业微信截图_16895671747484.png**
|
|||
|
|
|
|||
|
|
---
|
|||
|
|
|