Re: DoS of LAN via D-Link switches

["Tarmo Mamers" <tarmo () pobox com>]

> > From: Frank Bures [mailto:lisfrank () chem toronto edu]
> > Sent: Tuesday, March 29, 2005 4:41 AM

> > When user connects the same patch cable to two ports of the
> > switch, the
> > switch will ultimately bring down hierarchically higher
> > branches of the
> > LAN.

> > Ours is a rather large LAN.  One part of it is served by
> > Extreme Networks
> > switches.  None of the SGI machines behind these switches
> > were affected by
> > the short.  In fact no adverse effects were observed in that
> > part of the
> > LAN.

This is natural behaviour of Ethernet ("natural" being dependent of your
network design, of course :) and has nothing to do with D-Link or any other
manufacturer.

Some switches offer automatic port disabling feature if BPDU is received on
a port defined as access port. All workstation ports should be defined as
access ports for this to work. Workstations are not taking part of any
Spanning Tree and they shouldn't generate any BPDUs and thus BPDUs shouldn't
come into the switch from any access port. When you interconnect two switch
ports defined as access ports, BPDUs generated by the switch reach another
access port and trigger the disabling feature. This works in case or a
single switch as well as between different switches as long as all your
switches are Spanning Tree enabled.

How the "short-circuit" affects specific switches depends how their unknown
frame forwarding is configured and where they stand in a multi-tier switch
topology.

> > In my opinion, a switch should be immune to this admittedly insane
> > manipulation.  Otherwise, one can DoS the entire network just
> > by shorting
> > two RJ-45 network outlets in one's office together.

Switches _are_ immune to insane manipulation if configured correctly.
Excluding plugging out the power cord, unfortunately...


-tarmo-