245 lines
6.3 KiB
Markdown
245 lines
6.3 KiB
Markdown
|
# 【E21现场】DoS Threat Map和Dos Events在2022-03-28 16:10:00无新日志产生。
|
|||
|
|
|
|||
|
|
| ID | Creation Date | Assignee | Status |
|
|||
|
|
|----|----------------|----------|--------|
|
|||
|
|
| OMPUB-429 | 2022-04-02T03:31:45.000+0800 | 戚岱杰 | 已关闭 |
|
|||
|
|
|
|||
|
|
|
|||
|
|
---
|
|||
|
|
|
|||
|
|
现场问题描述:
|
|||
|
|
|
|||
|
|
系统里查询到Dos Events最后一条日志时间为2022-03-28 16:10:00
|
|||
|
|
|
|||
|
|
DoS Threat Map无最新数据,页面也无动态箭头。
|
|||
|
|
|
|||
|
|
处理进展:
|
|||
|
|
|
|||
|
|
1、通过nezha系统prometheus 统计ddos日志量,查询近两周的日志量无明显变化。
|
|||
|
|
|
|||
|
|
2、登录计算板,cat /opt/tsg/sapp/tsg_stat.log ,ddos_suc一直有数,在发日志。
|
|||
|
|
|
|||
|
|
3、28号16点OLAP尚未更新,通过查询ServerIp统计数据,确认期间检测程序运行正常。
|
|||
|
|
|
|||
|
|
4、OLAP Dos程序调低ddos攻击计算参数阀值之后,Dos Events和DoS Threat Map有日志,有数据。
|
|||
|
|
|
|||
|
|
调整参数阀值如下:
|
|||
|
|
|
|||
|
|
static.sensitivity.threshold=500 调整为100
|
|||
|
|
|
|||
|
|
baseline.sensitivity.threshold=0.5 调整为0.2
|
|||
|
|
|
|||
|
|
baseline.sessions.monitor.threshold=0.5 调整为0.2
|
|||
|
|
|
|||
|
|
处理结果:
|
|||
|
|
|
|||
|
|
调低参数阀值,DoS Threat Map和Dos Events有日志和数据。
|
|||
|
|
|
|||
|
|
问题原因进一步定位。
|
|||
|
|
|
|||
|
|
|
|||
|
|
|
|||
|
|
**liuxueli** commented on *2022-04-02T09:44:59.419+0800*:
|
|||
|
|
|
|||
|
|
* 通过nezha系统prometheus 统计ddos日志量,查询近两周的日志量无明显变化。
|
|||
|
|
|
|||
|
|
*
|
|||
|
|
登录NPB,cat /opt/tsg/sapp/tsg_stat.log ,ddos_suc一直有数,在发日志
|
|||
|
|
|
|||
|
|
** !image-2022-04-02-09-44-07-624.png!
|
|||
|
|
|
|||
|
|
|
|||
|
|
|
|||
|
|
---
|
|||
|
|
|
|||
|
|
**qidaijie** commented on *2022-04-07T10:35:54.653+0800*:
|
|||
|
|
|
|||
|
|
根据现场返回的数据以及图像分析:
|
|||
|
|
* Flink DoS检测程序与基线生成程序均无异常。
|
|||
|
|
* 基线存储hbase也无异常。
|
|||
|
|
|
|||
|
|
根据图像分析 [^pic.tar] ,dashboard内top10 server IP流量在3月28日15:00以后均有明显下降的趋势,怀疑DoS检测结果无数据与当时流量下降有关,需要功能端协助查看当时流量情况。[~liuxueli]
|
|||
|
|
!基线统计-1.png|thumbnail!
|
|||
|
|
|
|||
|
|
|
|||
|
|
|
|||
|
|
---
|
|||
|
|
|
|||
|
|
**qidaijie** commented on *2022-04-07T15:03:48.934+0800*:
|
|||
|
|
|
|||
|
|
* 上传最近7天的流量曲线图。 [^pic20220407.tar.gz]
|
|||
|
|
* 上传2022-03-26到2022-04-01查询Dos表结果csv。 [^sql_CSV_20220407.zip]
|
|||
|
|
|
|||
|
|
根据现场数据,观察到从2022-03-28T16:20:00.000+03:00时间点后,统计的IP流量均降低了一个量级;需要功能端协助查看当时流量情况[~fengweihao]
|
|||
|
|
|
|||
|
|
|
|||
|
|
|
|||
|
|
---
|
|||
|
|
|
|||
|
|
**liuju** commented on *2022-04-28T16:41:59.301+0800*:
|
|||
|
|
|
|||
|
|
目前线上程序的基线还没更新,因现场近期比较忙,暂时还没时间追踪处理这个,等现场我这边有时间了,我会再联系大家继续定位处理~辛苦大家了~
|
|||
|
|
|
|||
|
|
|
|||
|
|
|
|||
|
|
---
|
|||
|
|
|
|||
|
|
**liuju** commented on *2022-04-29T19:22:20.131+0800*:
|
|||
|
|
|
|||
|
|
今天将10.224.11.24 :/data/tsg/olap/topology/dos-detection/config/DOS-DETECTION-APPLICATION
|
|||
|
|
|
|||
|
|
配置参数调整回更新前如下:
|
|||
|
|
|
|||
|
|
static.sensitivity.threshold=100 调整为500
|
|||
|
|
baseline.sensitivity.threshold=0.2 调整为0.5
|
|||
|
|
baseline.sessions.monitor.threshold=0.2 调整为0.5
|
|||
|
|
|
|||
|
|
配置参数调整回去之后,重启程序进行观察,DoS Threat Map和Dos Events都有新日志和数据产生。
|
|||
|
|
周一还会继续观察DoS Threat Map和Dos Events日志情况。
|
|||
|
|
|
|||
|
|
|
|||
|
|
|
|||
|
|
---
|
|||
|
|
|
|||
|
|
**liuju** commented on *2022-05-03T14:55:20.927+0800*:
|
|||
|
|
|
|||
|
|
2022-04-29 已将配置参数调整到初始数值如下:
|
|||
|
|
|
|||
|
|
static.sensitivity.threshold=500
|
|||
|
|
|
|||
|
|
baseline.sensitivity.threshold=0.5
|
|||
|
|
|
|||
|
|
baseline.sessions.monitor.threshold=0.5
|
|||
|
|
|
|||
|
|
统计配置调整之后近几天每日Dos Events日志量如下:
|
|||
|
|
|
|||
|
|
2022-04-30 日志量:863
|
|||
|
|
|
|||
|
|
2022-05-01 日志量:576
|
|||
|
|
|
|||
|
|
2022-05-03 日志量:1033
|
|||
|
|
|
|||
|
|
|
|||
|
|
|
|||
|
|
想通过系统logs搜索Dos Events 2022-03-28 之前单日日志量依此作为参考对比目前日志量和2022-03-28之前日志量是否在一个量级,但是目前搜索Dos Events 2022-03每日日志量 搜索结果为空,故暂无法进行比对。
|
|||
|
|
|
|||
|
|
|
|||
|
|
|
|||
|
|
|
|||
|
|
|
|||
|
|
---
|
|||
|
|
|
|||
|
|
**zhengchao** commented on *2022-05-04T09:09:31.282+0800*:
|
|||
|
|
|
|||
|
|
22.06支持为各类日志设置独立的留存周期。
|
|||
|
|
|
|||
|
|
|
|||
|
|
|
|||
|
|
---
|
|||
|
|
|
|||
|
|
**qidaijie** commented on *2022-05-06T15:52:28.515+0800*:
|
|||
|
|
|
|||
|
|
现场配置为存储最近30天的日志,固3月份的日志已被删除 无法查询到。[~liuju]
|
|||
|
|
!存储配额配置截图.png|thumbnail!
|
|||
|
|
|
|||
|
|
|
|||
|
|
|
|||
|
|
---
|
|||
|
|
|
|||
|
|
**doufenghu** commented on *2022-05-06T16:04:24.799+0800*:
|
|||
|
|
|
|||
|
|
如上问题,目前可采取方式1,尽可能持久保留DoS Events 事件日志。
|
|||
|
|
* 方式1: 可在日志存储配额调度任务,配置参数- DoS Events 表不删除;
|
|||
|
|
* 方式2: 22.06 为每种类型日志设置独立留存周期。
|
|||
|
|
|
|||
|
|
|
|||
|
|
|
|||
|
|
---
|
|||
|
|
|
|||
|
|
**liuju** commented on *2022-05-10T00:11:29.346+0800*:
|
|||
|
|
|
|||
|
|
针对该问题的定位处理过程,目前来说只发现部分NPB时钟同步有些问题,并应研发要求对所有NPB的时钟同步服务进行调整,将同步服务从ntp更新为chronyd。
|
|||
|
|
经过这周观察目前现场未复现DoS Threat Map和Dos Events无日志情况。
|
|||
|
|
|
|||
|
|
|
|||
|
|
|
|||
|
|
---
|
|||
|
|
|
|||
|
|
**qidaijie** commented on *2022-05-16T09:57:32.940+0800*:
|
|||
|
|
|
|||
|
|
当NPB时钟不同步,Dos统计任务会将时间超过窗口一分钟的数据视为无效数据;有效数据较少 且未超过基线阈值,最终导致了Dos Events无日志情况。
|
|||
|
|
根据统计图所示,在4月7号修改了NPB时钟同步后,未做其他操作 统计恢复正常。
|
|||
|
|
!DNS Flood_session_rate.png|thumbnail!
|
|||
|
|
|
|||
|
|
|
|||
|
|
|
|||
|
|
---
|
|||
|
|
|
|||
|
|
**qidaijie** commented on *2022-05-20T22:11:25.665+0800*:
|
|||
|
|
|
|||
|
|
已修改日志存储配额调度任务,DoS Events 表不删除;且可查询到30天前的数据。
|
|||
|
|
!Dos30天前日志查询.png|thumbnail!
|
|||
|
|
|
|||
|
|
|
|||
|
|
|
|||
|
|
---
|
|||
|
|
|
|||
|
|
**qidaijie** commented on *2022-05-20T22:36:17.731+0800*:
|
|||
|
|
|
|||
|
|
综合评论内容,Dos Events日志无数据问题已解决。原因总结:
|
|||
|
|
# 在DPI升级过程中出现了 时钟不同步 的现象,致使DoS检测应用将部分数据视为无效数据,最终导致了Dos Events日志无数据问题;非DoS检测应用问题。
|
|||
|
|
# 考虑到DoS Events 日志价值较高;目前 暂时 通过调度任务设置不删除策略,保留全部的DoS Events 日志。
|
|||
|
|
|
|||
|
|
|
|||
|
|
|
|||
|
|
---
|
|||
|
|
|
|||
|
|
|
|||
|
|
|
|||
|
|
## Attachments
|
|||
|
|
|
|||
|
|
**27985/DNS+Flood_session_rate.png**
|
|||
|
|
|
|||
|
|
---
|
|||
|
|
|
|||
|
|
**28177/Dos30天前日志查询.png**
|
|||
|
|
|
|||
|
|
---
|
|||
|
|
|
|||
|
|
**26776/Dos-Serverip统计.jpg**
|
|||
|
|
|
|||
|
|
---
|
|||
|
|
|
|||
|
|
**26775/image-2022-04-02-09-44-07-624.png**
|
|||
|
|
|
|||
|
|
---
|
|||
|
|
|
|||
|
|
**26854/pic.tar**
|
|||
|
|
|
|||
|
|
---
|
|||
|
|
|
|||
|
|
**26860/pic20220407.tar.gz**
|
|||
|
|
|
|||
|
|
---
|
|||
|
|
|
|||
|
|
**26861/sql_CSV_20220407.zip**
|
|||
|
|
|
|||
|
|
---
|
|||
|
|
|
|||
|
|
**27769/存储配额配置截图.png**
|
|||
|
|
|
|||
|
|
---
|
|||
|
|
|
|||
|
|
**26853/基线统计-1.png**
|
|||
|
|
|
|||
|
|
---
|
|||
|
|
|
|||
|
|
**26772/微信图片_20220401221600.jpg**
|
|||
|
|
|
|||
|
|
---
|
|||
|
|
|
|||
|
|
**26771/微信图片_20220401221632.png**
|
|||
|
|
|
|||
|
|
---
|
|||
|
|
|