RE: DoS of LAN via D-Link switches

["David Gillett" <gillettdavid () fhda edu>]

  This is a risk with any of the new small switches that automatically
sense when a port needs a crossover.
  If the switch is running Spanning Tree, it should shut down the 
interface at one end of the cable.  (If the switch *can't* run Spanning
Tree, it doesn't belong in a network with other switches.  If it can,
*whoever turned it off* should be denied further access to that network.)

  A malicious person with sufficiently administrative access
can create this effect on almost any switch.  At worst, D-Link may
have made it absurdly easy for anyone with merely physical access to 
do it.

David Gillett


> -----Original Message-----
> From: Frank Bures [mailto:lisfrank () chem toronto edu]
> Sent: Tuesday, March 29, 2005 4:41 AM
> To: bugtraq () securityfocus com
> Subject: DoS of LAN via D-Link switches
>
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> D-Link switch Model: DSS-16+
>
> When user connects the same patch cable to two ports of the 
> switch, the
> switch will ultimately bring down hierarchically higher 
> branches of the 
> LAN.
>
> We have this D-link local switch connected to a 3COM 3300 
> family switch. A
> user connected a patch cable to two ports of the D-Link 
> switch effectively
> shorting them together.  The switch started to send out large 
> packets that
> would periodically overwhelm the 3COM 3300 switch and propagate father
> through the network.
>
> The first symptom of this phenomena were log entries from 
> Linux machines
> running ntpd complaining about "too many recvbufs allocated".  Those
> machines were on the LAN way beyond the shorted D-Link switch.  The 
> problem kept spreading through the LAN and it finally took 
> down three SGI 
> Octane machines running IRIX 6.5, effectively DoSing them 
> from the network.  
> There were problems with NFS and other services, again way beyond the 
> initial D-Link and its connected 3COM switch.  The 3COM 3300 switch 
> connected directly to the "shorted" D-Link switch became 
> unusable together 
> with the part of the LAN it serves.
>
> In my opinion, a switch should be immune to this admittedly insane
> manipulation.  Otherwise, one can DoS the entire network just 
> by shorting
> two RJ-45 network outlets in one's office together.
>
> Ours is a rather large LAN.  One part of it is served by 
> Extreme Networks 
> switches.  None of the SGI machines behind these switches 
> were affected by 
> the short.  In fact no adverse effects were observed in that 
> part of the 
> LAN.
>
> I contacted the D-Link with the description of the DoS.  They 
> have no record 
> of a similar report on file.  They offered no solution.
>
>
> Frank Bures, Dept. of Chemistry, University of Toronto, M5S 3H6
> fbures () chem toronto edu
> http://www.chem.utoronto.ca
> PGP public key: 
http://pgp.mit.edu:11371/pks/lookup?op=index&search=Frank+Bures
-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 5.0 OS/2 for non-commercial use
Comment: PGP 5.0 for OS/2
Charset: cp850

wj8DBQFCST6zih0Xdz1+w+wRAkZfAJ9LBIcIDu+w6WCOxCZTsrnKeYReiwCg1xXo
Y0s7aBNl/VFiNCewyoYuldw=
=GQaY
-----END PGP SIGNATURE-----