Bugtraq mailing list archives
RE: DoS of LAN via D-Link switches
From: "David Gillett" <gillettdavid () fhda edu>
Date: Tue, 29 Mar 2005 11:15:37 -0800
This is a risk with any of the new small switches that automatically sense when a port needs a crossover. If the switch is running Spanning Tree, it should shut down the interface at one end of the cable. (If the switch *can't* run Spanning Tree, it doesn't belong in a network with other switches. If it can, *whoever turned it off* should be denied further access to that network.) A malicious person with sufficiently administrative access can create this effect on almost any switch. At worst, D-Link may have made it absurdly easy for anyone with merely physical access to do it. David Gillett
-----Original Message----- From: Frank Bures [mailto:lisfrank () chem toronto edu] Sent: Tuesday, March 29, 2005 4:41 AM To: bugtraq () securityfocus com Subject: DoS of LAN via D-Link switches -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 D-Link switch Model: DSS-16+ When user connects the same patch cable to two ports of the switch, the switch will ultimately bring down hierarchically higher branches of the LAN. We have this D-link local switch connected to a 3COM 3300 family switch. A user connected a patch cable to two ports of the D-Link switch effectively shorting them together. The switch started to send out large packets that would periodically overwhelm the 3COM 3300 switch and propagate father through the network. The first symptom of this phenomena were log entries from Linux machines running ntpd complaining about "too many recvbufs allocated". Those machines were on the LAN way beyond the shorted D-Link switch. The problem kept spreading through the LAN and it finally took down three SGI Octane machines running IRIX 6.5, effectively DoSing them from the network. There were problems with NFS and other services, again way beyond the initial D-Link and its connected 3COM switch. The 3COM 3300 switch connected directly to the "shorted" D-Link switch became unusable together with the part of the LAN it serves. In my opinion, a switch should be immune to this admittedly insane manipulation. Otherwise, one can DoS the entire network just by shorting two RJ-45 network outlets in one's office together. Ours is a rather large LAN. One part of it is served by Extreme Networks switches. None of the SGI machines behind these switches were affected by the short. In fact no adverse effects were observed in that part of the LAN. I contacted the D-Link with the description of the DoS. They have no record of a similar report on file. They offered no solution. Frank Bures, Dept. of Chemistry, University of Toronto, M5S 3H6 fbures () chem toronto edu http://www.chem.utoronto.ca PGP public key:
http://pgp.mit.edu:11371/pks/lookup?op=index&search=Frank+Bures -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 5.0 OS/2 for non-commercial use Comment: PGP 5.0 for OS/2 Charset: cp850 wj8DBQFCST6zih0Xdz1+w+wRAkZfAJ9LBIcIDu+w6WCOxCZTsrnKeYReiwCg1xXo Y0s7aBNl/VFiNCewyoYuldw= =GQaY -----END PGP SIGNATURE-----
Current thread:
- DoS of LAN via D-Link switches Frank Bures (Mar 29)
- RE: DoS of LAN via D-Link switches David Gillett (Mar 29)
- Re: DoS of LAN via D-Link switches Tarmo Mamers (Mar 29)
- Re: DoS of LAN via D-Link switches Neil Watson (Mar 30)
- Re: DoS of LAN via D-Link switches Joel Maslak (Mar 31)
- Re: DoS of LAN via D-Link switches Scott Nelson (Mar 31)
- Re: DoS of LAN via D-Link switches Tarmo Mamers (Mar 29)
- RE: DoS of LAN via D-Link switches David Gillett (Mar 29)