常用的網(wǎng)路管理工具課件

常用的網(wǎng)路管理工具

:以桃園區(qū)網(wǎng)中心為例中央大學(xué)電算中心楊素秋Email:報告大綱1.動機(jī)2.自動寄信(Sendmail.pm)3.IP管理資訊查詢(Rwhoisd)4.Abusecomplain的自動通告5.區(qū)網(wǎng)異常訊務(wù)的偵測與通告6.結(jié)語與展望1.動機(jī)持續(xù)的網(wǎng)路異常抱怨CopyrightInfringement(違反智慧財產(chǎn)權(quán))***Spam(廣告/色情信)PortScan(弱點(diǎn)port掃描)Virus,mailvirus(445/TCP,139/TCP,135/TCP,…)DoS攻擊(80/TCP,554/TCP)Passwordcracking22/TCP,4899/TCP1433/TCP,3306/TCPPhishing/Fraud1.動機(jī)(cont.)SecurityEducationEducateusersAnomalyDetection(Technique)Basedonservicelogmaillog,httplog,syslog,…BasedontrafficlogNetflowdata(router/sitchrouter)layer2packetcontent(snoopedbysnort/tcpdump)AutomaticAbuseNotification2.自動寄信(Sendmailperlmodule)Sendmail.pm的安裝安裝cd/usr/ports/mail/p5-Mail-Sendmailmakemakeinstallyang#pwd/usr/ports/mail/p5-Mail-Sendmailyang#make.Mail-Sendmail-0.79.tar.gz100%of15kB21kBps===>Extractingforp5-Mail-Sendmail-0.79===>Patchingforp5-Mail-Sendmail-0.79===>p5-Mail-Sendmail-0.79dependsonfile:/usr/local/bin/perl5.8.7-found===>Configuringforp5-Mail-Sendmail-0.79Checkingifyourkitiscomplete...Readthedocs,andhavefun...**********************************************************************===>Buildingforp5-Mail-Sendmail-0.79cpSendmail.pmblib/lib/Mail/Sendmail.pmManifyingblib/man3/Mail::Sendmail.32.自動寄信(cont.)Mail::sendmail自動寄信程式#!/usr/bin/perlusestrict;useMail::Sendmail;my$ip_addr="";my$email_mgr=',';my$boundary="===============================";print$ip_addr,"",$email_mgr,"\n";

my%mail=(smtp=>'localhost',To=>"$email_mgr",From=>'',subject=>"DetectSpammingfrom$ip_addr",'Content-Type'=>"text/plain;charset=\"Big5\"",);my$body.="$boundary\n";$body.="TheIPmachineoveryourcampuswiththeaddressof";$body.=$ip_addr;$body.="machinemaybeanOpenMailRelayOrSpamsender.\n";$body.="$boundary\n";$body.="Pleasehelpownerof";$body.="themachine\n";$body.="tocheckandfixitsOpenMailRelayProblemorPatch\n";$body.="Pleasereferthedetailtrafficlogon\n\n";$body.="\n";$body.="(user:guest&password:guest)\n";$body.="ManyThanks!\nFrom:SusnaYang\n\n\n";

$mail{body}=$body;

sendmail(%mail)||print"Errorsendingmail:$Mail::Sendmail::error\n";3.IP管理資訊查詢:RwhoisdIP管理資訊的建立(a)IP管理資訊來源通訊網(wǎng)頁Moe區(qū)網(wǎng)管理人()Moeabuse主機(jī)(l)Tyc區(qū)網(wǎng)管理人()NcuSnmgclub)連線學(xué)校的IP使用列表宿舍用戶IP列表Network-Name:中央大學(xué)IP-Network:/24Admin-Contact:吳維漢Address:中央大學(xué):Tel:65136Updated-By:,,Created:2---Network-Name:中央大學(xué)IP-Network:/24Admin-Contact:陳鎰鋒Address:中央大學(xué):Tel:65340Updated-By:,,,Created:2---Network-Name:中央大學(xué)IP-Network:/24Admin-Contact:陳鎰鋒Address:中央大學(xué):Tel:65340宿舍用戶IP列表,19,,6,,37,,01,,97,,9,,,,6,,5,,2,,4,,59,,02,,4,,1,,5,,3,,9,,75,Network-Name:中央宿網(wǎng)IP-Network:Admin-Contact:Address:NCUDormUserUpdated-By:Created:2---Network-Name:中央宿網(wǎng)IP-Network:Admin-Contact:Address:NCUDormUserUpdated-By:Created:2---Network-Name:中央宿網(wǎng)IP-Network:Admin-Contact:Address:NCUDormUserUpdated-By:Created:2IP管理資訊查詢:Rwhoisd(cont.)(b)IPRoutingTable&ResponsiblemanagersSNMPipRouterMIB&Tyc_manager_listsnmpwalk-v1-ccommunity

21..1.1.11>$infilesnmpwalk-v1-ccommunity21..1.1.7>$infilesnmpwalk:fetchaSNMPsub-treedata需安裝net-snmp3.IP管理資訊查詢:Rwhoisd(cont.)(c)DataextractionWgetwebcontent/usr/local/bin/wget-O/netflow/spam/spam.html.1Extractthewanteddataentriesif(/([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)(\S+)\s+(\S+)\s+(\S+)\s+(\S+)\s+/){if($4eq“桃園區(qū)網(wǎng)-中央大學(xué)”){

printf(FNO"%s,%s\n",$1,$4);}}ConvertthetextfileCorrespondencetorwhoisddataschemesnmpwalk-v1-ccommunity21..1.1.11>$infileRFC1213-MIB::ipRouteMask.=IpAddress:RFC1213-MIB::ipRouteMask.=IpAddress:RFC1213-MIB::ipRouteMask.=IpAddress:RFC1213-MIB::ipRouteMask.=IpAddress:RFC1213-MIB::ipRouteMask.=IpAddress:RFC1213-MIB::ipRouteMask.=IpAddress:RFC1213-MIB::ipRouteMask.=IpAddress:RFC1213-MIB::ipRouteMask.=IpAddress:RFC1213-MIB::ipRouteMask.=IpAddress:RFC1213-MIB::ipRouteMask.=IpAddress:RFC1213-MIB::ipRouteMask.=IpAddress:RFC1213-MIB::ipRouteMask.=IpAddress:Interf_IP==Sub_network_IP::NetMask::Segments---------------------------------------------------------------------------------05==::()::1,4==::()::4,::()::1,95==::()::2,80==::(52)::1,::()::1,::()::1,::()::1,::()::2,::()::4,::()::4,::()::2,::()::1,::()::2,::()::1,97==::()::1,06==::()::1,5,,,165,,,165,,,165,,,165,,,165,,,169,,,329,,,329,,,329,,,329,,,329,,,329,,,329,,,329,,,32Tyc_manager檔37;中央大學(xué)(1);戴元任;;4227151~57504;4252561;桃園縣(320)中壢市中大路300號;37;元智大學(xué);蔣國強(qiáng);;4638800~325;;桃園縣(320)中壢市內(nèi)壢遠(yuǎn)東路135號;1;中原大學(xué);葉平;,;4563171~2910;2652999;桃園縣(320)中壢市普仁里二十二號;;中正理工學(xué)院;鄭大力;;3809331;3806737;桃園縣(335)大溪鎮(zhèn)員樹林中正理工學(xué)院;99;國防大學(xué);鄭大力;;3809331;3806737;桃園縣(335)大溪鎮(zhèn)員樹林中正理工學(xué)院;45;國防大學(xué);黃麗燕;;4890513;4890513;桃園縣(325)龍?zhí)多l(xiāng)中興路56號;3.IP管理資訊查詢:Rwhoisd(cont.)IP管理資訊查詢clientyang#telnet04321Trying0...Connectedtoyang.Escapecharacteris'^]'.%rwhoisV-1.5:003fff:00.tw(byNetworkSolutions,Inc.V-)

network:Auth-Area:/16network:Class-Name:networknetwork:Network-Name:中央大學(xué)network:IP-Network:/24network:Admin-Contact;I:許健平network:Address:中央大學(xué):network:Tel:57504network:Updated-By:,network:Created:23.IP管理資訊查詢:Rwhoisd(cont.)(c)設(shè)定databaseschema&soa檔more/usr/local/rwhoisd/net-/schemaname:networkattributedef:net-/attribute_defs/network.tmpldbdir:net-/data/networkSchema-Version:200000---name:referralattributedef:net-/attribute_defs/referral.tmpldbdir:net-/data/referralSchema-Version:200000yang#more/usr/local/rwhoisd/net-/soaSerial-Number:200000Refresh-Interval:3600Increment-Interval:1800Retry-Interval:60Time-To-Live:86400Primary-Server::4321Hostmaster:.twdatabasesoa檔3.IP管理資訊查詢:Rwhoisd(cont.)(d)產(chǎn)生index&執(zhí)行rwhoisdSetup.sh#!/bin/sh######cleanuprwhoisdictionaryfilesfind.\(-nameindex\*-o-namelocal*-o-name\*.txt.\*\)-print|\xargsrm-f######reindexbothorganizationalandnetworkecho'reindexingnetworkinformation'/usr/local/rwhoisd/bin/rwhois_indexer-Cnetwork-i-v-stxt######rwhoisddaemon/usr/local/rwhoisd/sbin/rwhoisd-c/usr/local/rwhoisd/etc/rwhoisd/samples/rwhoisd.conf&4.Abusecomplain的通告TANetabuse處理程序OriginalcomplainsendtoMOE網(wǎng)管人工分送各區(qū)網(wǎng)abusecontact,,...各區(qū)網(wǎng)管再分送連線學(xué)校abusecontact,,…連線學(xué)校網(wǎng)管再分送abuseIP使用者4.Abusecomplain的通告(cont.)自動化分送abusecomplain的必要時效性收到moe轉(zhuǎn)來的通告時,已經(jīng)delay區(qū)網(wǎng)若再delay,抱怨信已經(jīng)滿天飛超大量的complainMOE(>600pieces/day)區(qū)網(wǎng)(>20pieces/day)重複地轉(zhuǎn)送信工作(枯燥)4.Abusecomplain的通告(cont.)自動分送abusecomplain的工作模組Parsing信件檔Catalog,Fragment個別信件與存檔spam,mailproxy,unsolicitedmailAttack,portscan,DoSInfringement,copyright,fraud,phishExtract抱怨的IPsourceaddress遠(yuǎn)端查詢rwhoisd管理資訊轉(zhuǎn)寄抱怨信thecontactperson4.Abusecomplain的通告(cont.)system("/bin/cp/var/mail/yang$sessdir/yang_$hour$min");system("/bin/mv/var/mail/yang$sessdir/yang");###$c:switchofeachmailitem###openINF,"cat$sessdir/yang|";$q=0;while(<INF>){###//StartofaEmail//###

if((/^From\s(.*@.*)\s/)||(/^From\s/)){$q++;$outmail_pre=sprintf("%s/%d",$sessdir,$q);close($outmail_pre);sleep1;$outmail=sprintf("%s/%d",$sessdir,$q);open(MAIN,">$outmail");$new_mail=0;$fraud_cause[$q]==0;$inf_cause[$q]=0;$spam_cause[$q]=0;$scan_cause[$q]=0;$check_sw=0;}4.Abusecomplain的通告(cont.)if($new_mail==0&&($inf_cause[$q]==0&&$fraud_cause[$q]==0&&$spam_cause[$q]==0&&$scan_cause[$q]==0)){if($check_sw==0){if(/(Fraud|FRAUD|fraud|PHISH|Phish|phish|scam|<B6>B<C4>F)/){$fraud_cause[$q]++;print$q,"",$fraud_cause[$q],"Fraud\n";$cause[$q]="Fraud/Phish";$check_sw=1;next;}elsif(/(Infringe|infringe|P2P|unauthor|Unauthor)/){$inf_cause[$q]++;print$q,"",$inf_cause[$q],"Infringer\n";$cause[$q]="Infringement";$check_sw=1;….4.Abusecomplain的通告(cont.)elsif((/(SpamCop|Spam\b|spam\b).*([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)/)&&$c==0){print"rule_4_SP1\n";print$&,"\n";$_=$&;if(/([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)/){$ip_addr=$1;if($notified{$ip_addr}<1){$notified[$ip_addr]++;print$ip_addr,"\n";printf("%d%s%10s|Spam\n",$q,$ip_addr,$cause[$q]);printf(FNO"%d%s%10s|Spam\n",$q,$ip_addr,$cause[$q]);printf(FN_MON"%d%s%10s|Spam\n",$q,$ip_addr,$cause[$q]);$qq++;$c++;next;}}4.Abusecomplain的通告(cont.)ayang#more/home/qos/Spam/spam_06===========================AbuseComplaimMail[06-01]---------------------------330Spamming-----105Spamming|Spam119Spamming|Spam1333Spamming|Spam21Spamming|Spam2231Spamming|Spam===========================AbuseComplaimMail[06-02]---------------------------27Infringement2708Infringement2869Infringement2997Infringement4.Abusecomplain的通告(cont.)ayang#more/netflow/spam/0620/fl_spam-----159Infringement21Infringement31Infringement483Infringement54Infringement659Infringement724Infringement899Infringement9Spamming4.Abusecomplain的通告(cont.)安裝Net::RwhoisperlmoduletarxvfNet-Rwhois-0.09.tarcd/usr/local/src/Net-Rwhois-0.09

perlMakemakemakeinstallManifyingblib/man3/Net::Rwhois::Transfer.3Installing/usr/local/lib/perl5/site_perl/5.6.1/Net/Rwhois.pmInstalling/usr/local/lib/perl5/site_perl/5.6.1/Net/Rwhois/ResultSet.pmInstalling/usr/local/lib/perl5/site_perl/5.6.1/Net/Rwhois/Connection.pmInstalling/usr/local/lib/perl5/site_perl/5.6.1/Net/Rwhois/WhoisQuery.pmAbusecomplain的通告(cont.)subrwhois(){my($ip_addr)=@_;my$unit;my$school;my$email_mgr;

require5.003;useNet::Rwhois;$client=newNet::Rwhois(Host=>".tw",Port=>4321);$client->open();$result_set=$client->execute_query(Query_String=>$ip_addr,Limit=>60);@results=$result_set->get_objects();$buf=$client->results_to_string(@results);return$buf;}Abusecomplain的通告(cont.)$fn_in=sprintf("%s/fl_no",$indir);open(FD0,"cat$fn_in|");while(<FD0>){if(/(\d+)\s+(\S+)/){$fn=$1;$ip=$2;print$fn,":",$ip,"\n";

$buf1=rwhois($ip);

($tmp1,$unit)=split("network-name:",$buf1);($school,$tmp2)=split("ip-network:",$unit);($tmp3,$manager)=split("updated-by:",$tmp2);($email_tmp,$tmp4)=split("created:",$manager);($email_mgr_1,$tmp5)=split("updated:",$email_tmp);chomp($school);chomp($email_mgr_1);$email_mgr=$email_mgr_1.",center7\@.tw";$date1="$mon$mday";

&mail_tyc($ip,$email_mgr,$date1,$fn);}#end_if}#end_whileclose(FD0);submail_tyc(){my($ip_addr,$email_mgr,$date1,$fn)=@_;usestrict;useMail::Sendmail;my%mail=(smtp=>'localhost',To=>"$email_mgr",From=>'',subject=>"Scan/Spam/InfrinfementComplaintabout$ip_addr",'Content-Type'=>"text/plain;charset=\"Big5\"",);my$body.="$boundary\n";$body.="Scan/Spam/InfrinfementComplaintaboutIP:";$body.=$ip_addr;$body.="Thesystemthatmighthadbeeninfectedbyhacker,\n";$body.="Pleasehelptheownercheck&fixthesystem.\n";$body.="ManyThanks!\nFrom:SusnaYang\n";

$body.=`/bin/cat/netflow/spam/$date1/$fn`;$body.="$boundary\n";

$mail{body}=$body;

sendmail(%mail)||print"Errorsendingmail:$Mail::Sendmail::error\n";}5.區(qū)網(wǎng)異常訊務(wù)的偵測與通告FloodingDetectionSystem,FDS網(wǎng)路訊務(wù)量測能提供良好的網(wǎng)路監(jiān)測能偵測網(wǎng)路安全問題協(xié)助診斷/解決網(wǎng)路問題協(xié)助網(wǎng)路的規(guī)劃與擴(kuò)充網(wǎng)路異常訊務(wù)偵測FlowFloodingDoSattack,PortScan,Sshcracking,SpamICMP/UDPPacketFloodingSource_socket Destination_Socket{Src_IPsrc_port/TCP}{dest_IPdest_port/TCP}ConnectionRequestAcceptConnectionsend/recvdataCloseconnection5.區(qū)網(wǎng)異常訊務(wù)的偵測與通告(cont.)openIN,"<$infile";while(<INF>){if(/(\S+)\s+(\S+)\s+(\d+)\s+(\d+)+\s+(\S+)\s+(\S+)\s+(\S+)/){$src_ip=$1;$dst_ip=$2;$src_p=$4;$dst_p=$5;$proto=$3;$pkts=$7;$bytes=$6/1000;if($pkts>0){$pkt_size=$bytes/$pkts;}##//@sitem=split(/\./,$src_ip);@ditem=split(/\./,$dst_ip);if($proto!=6){next;}if($pkt_size>0.060){next;}$evil_flow=$src_ip.">#.#.#.#.(".$dst_p.")";elsif($pkt_size<0.060&&$pkt_size>0.046){${"6".flow}{$evil_flow}++;${"6".sum_pkt}{$evil_flow}+=$pkts;${"6".sum_byte}{$evil_flow}+=$bytes;}}#end_while5.區(qū)網(wǎng)異常訊務(wù)的偵測與通告(cont.)5.區(qū)網(wǎng)異常訊務(wù)的偵測與通告(cont.)5.區(qū)網(wǎng)異常訊務(wù)的偵測與通告(cont.)submail_tyc(){my($ip_addr,$email_mgr,$date1)=@_;usestrict;

useMail::Sendmail;print$ip_addr,"",$email_mgr,"\n";my%mail=(smtp=>'localhost',To=>"$email_mgr",From=>'',subject=>"DetectSpammingHost$ip_addrfromYourCampus",'Content-Type'=>"text/plain;charset=\"Big5\"",);my$body.="$boundary\n";$body.="TheIPmachineoveryourcampuswiththeaddressof";$body.=$ip_addr;$body.="machinemaybeanOpenMailRelayOrSpamsender.\n";$body.="\nSRC_IP>#.#.#.#.(Serv_port)Flowspk_si