|
Bugtraq
mailing list archives
RE: DoS of LAN via D-Link switches
From: "David Gillett" <gillettdavid () fhda edu>
Date: Tue, 29 Mar 2005 11:15:37 -0800
This is a risk with any of the new small switches that automatically
sense when a port needs a crossover.
If the switch is running Spanning Tree, it should shut down the
interface at one end of the cable. (If the switch *can't* run Spanning
Tree, it doesn't belong in a network with other switches. If it can,
*whoever turned it off* should be denied further access to that network.)
A malicious person with sufficiently administrative access
can create this effect on almost any switch. At worst, D-Link may
have made it absurdly easy for anyone with merely physical access to
do it.
David Gillett
-----Original Message-----
From: Frank Bures [mailto:lisfrank () chem toronto edu]
Sent: Tuesday, March 29, 2005 4:41 AM
To: bugtraq () securityfocus com
Subject: DoS of LAN via D-Link switches
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
D-Link switch Model: DSS-16+
When user connects the same patch cable to two ports of the
switch, the
switch will ultimately bring down hierarchically higher
branches of the
LAN.
We have this D-link local switch connected to a 3COM 3300
family switch. A
user connected a patch cable to two ports of the D-Link
switch effectively
shorting them together. The switch started to send out large
packets that
would periodically overwhelm the 3COM 3300 switch and propagate father
through the network.
The first symptom of this phenomena were log entries from
Linux machines
running ntpd complaining about "too many recvbufs allocated". Those
machines were on the LAN way beyond the shorted D-Link switch. The
problem kept spreading through the LAN and it finally took
down three SGI
Octane machines running IRIX 6.5, effectively DoSing them
from the network.
There were problems with NFS and other services, again way beyond the
initial D-Link and its connected 3COM switch. The 3COM 3300 switch
connected directly to the "shorted" D-Link switch became
unusable together
with the part of the LAN it serves.
In my opinion, a switch should be immune to this admittedly insane
manipulation. Otherwise, one can DoS the entire network just
by shorting
two RJ-45 network outlets in one's office together.
Ours is a rather large LAN. One part of it is served by
Extreme Networks
switches. None of the SGI machines behind these switches
were affected by
the short. In fact no adverse effects were observed in that
part of the
LAN.
I contacted the D-Link with the description of the DoS. They
have no record
of a similar report on file. They offered no solution.
Frank Bures, Dept. of Chemistry, University of Toronto, M5S 3H6
fbures () chem toronto edu
http://www.chem.utoronto.ca
PGP public key:
http://pgp.mit.edu:11371/pks/lookup?op=index&search=Frank+Bures
-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 5.0 OS/2 for non-commercial use
Comment: PGP 5.0 for OS/2
Charset: cp850
wj8DBQFCST6zih0Xdz1+w+wRAkZfAJ9LBIcIDu+w6WCOxCZTsrnKeYReiwCg1xXo
Y0s7aBNl/VFiNCewyoYuldw=
=GQaY
-----END PGP SIGNATURE-----
 By Date 
By Thread
Current thread:
|
Intro
