RE: DoS of LAN via D-Link switches
This is a risk with any of the new small switches that automatically
sense when a port needs a crossover.
If the switch is running Spanning Tree, it should shut down the
interface at one end of the cable. (If the switch *can't* run Spanning
Tree, it doesn't belong in a network with other switches. If it can,
*whoever turned it off* should be denied further access to that network.)
A malicious person with sufficiently administrative access
can create this effect on almost any switch. At worst, D-Link may
have made it absurdly easy for anyone with merely physical access to
do it.
David Gillett
> -----Original Message-----
> From: Frank Bures [mailto:lisfrank@xxxxxxxxxxxxxxxx]
> Sent: Tuesday, March 29, 2005 4:41 AM
> To: bugtraq@xxxxxxxxxxxxxxxxx
> Subject: DoS of LAN via D-Link switches
>
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> D-Link switch Model: DSS-16+
>
> When user connects the same patch cable to two ports of the
> switch, the
> switch will ultimately bring down hierarchically higher
> branches of the
> LAN.
>
> We have this D-link local switch connected to a 3COM 3300
> family switch. A
> user connected a patch cable to two ports of the D-Link
> switch effectively
> shorting them together. The switch started to send out large
> packets that
> would periodically overwhelm the 3COM 3300 switch and propagate father
> through the network.
>
> The first symptom of this phenomena were log entries from
> Linux machines
> running ntpd complaining about "too many recvbufs allocated". Those
> machines were on the LAN way beyond the shorted D-Link switch. The
> problem kept spreading through the LAN and it finally took
> down three SGI
> Octane machines running IRIX 6.5, effectively DoSing them
> from the network.
> There were problems with NFS and other services, again way beyond the
> initial D-Link and its connected 3COM switch. The 3COM 3300 switch
> connected directly to the "shorted" D-Link switch became
> unusable together
> with the part of the LAN it serves.
>
> In my opinion, a switch should be immune to this admittedly insane
> manipulation. Otherwise, one can DoS the entire network just
> by shorting
> two RJ-45 network outlets in one's office together.
>
> Ours is a rather large LAN. One part of it is served by
> Extreme Networks
> switches. None of the SGI machines behind these switches
> were affected by
> the short. In fact no adverse effects were observed in that
> part of the
> LAN.
>
> I contacted the D-Link with the description of the DoS. They
> have no record
> of a similar report on file. They offered no solution.
>
>
> Frank Bures, Dept. of Chemistry, University of Toronto, M5S 3H6
> fbures@xxxxxxxxxxxxxxxx
> http://www.chem.utoronto.ca
> PGP public key:
http://pgp.mit.edu:11371/pks/lookup?op=index&search=Frank+Bures
-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 5.0 OS/2 for non-commercial use
Comment: PGP 5.0 for OS/2
Charset: cp850
wj8DBQFCST6zih0Xdz1+w+wRAkZfAJ9LBIcIDu+w6WCOxCZTsrnKeYReiwCg1xXo
Y0s7aBNl/VFiNCewyoYuldw=
=GQaY
-----END PGP SIGNATURE-----