This is a risk with any of the new small switches that automatically sense when a port needs a crossover. If the switch is running Spanning Tree, it should shut down the interface at one end of the cable. (If the switch *can't* run Spanning Tree, it doesn't belong in a network with other switches. If it can, *whoever turned it off* should be denied further access to that network.) A malicious person with sufficiently administrative access can create this effect on almost any switch. At worst, D-Link may have made it absurdly easy for anyone with merely physical access to do it. David Gillett > -----Original Message----- > From: Frank Bures [mailto:lisfrank@xxxxxxxxxxxxxxxx] > Sent: Tuesday, March 29, 2005 4:41 AM > To: bugtraq@xxxxxxxxxxxxxxxxx > Subject: DoS of LAN via D-Link switches > > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > D-Link switch Model: DSS-16+ > > When user connects the same patch cable to two ports of the > switch, the > switch will ultimately bring down hierarchically higher > branches of the > LAN. > > We have this D-link local switch connected to a 3COM 3300 > family switch. A > user connected a patch cable to two ports of the D-Link > switch effectively > shorting them together. The switch started to send out large > packets that > would periodically overwhelm the 3COM 3300 switch and propagate father > through the network. > > The first symptom of this phenomena were log entries from > Linux machines > running ntpd complaining about "too many recvbufs allocated". Those > machines were on the LAN way beyond the shorted D-Link switch. The > problem kept spreading through the LAN and it finally took > down three SGI > Octane machines running IRIX 6.5, effectively DoSing them > from the network. > There were problems with NFS and other services, again way beyond the > initial D-Link and its connected 3COM switch. The 3COM 3300 switch > connected directly to the "shorted" D-Link switch became > unusable together > with the part of the LAN it serves. > > In my opinion, a switch should be immune to this admittedly insane > manipulation. Otherwise, one can DoS the entire network just > by shorting > two RJ-45 network outlets in one's office together. > > Ours is a rather large LAN. One part of it is served by > Extreme Networks > switches. None of the SGI machines behind these switches > were affected by > the short. In fact no adverse effects were observed in that > part of the > LAN. > > I contacted the D-Link with the description of the DoS. They > have no record > of a similar report on file. They offered no solution. > > > Frank Bures, Dept. of Chemistry, University of Toronto, M5S 3H6 > fbures@xxxxxxxxxxxxxxxx > http://www.chem.utoronto.ca > PGP public key: http://pgp.mit.edu:11371/pks/lookup?op=index&search=Frank+Bures -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 5.0 OS/2 for non-commercial use Comment: PGP 5.0 for OS/2 Charset: cp850 wj8DBQFCST6zih0Xdz1+w+wRAkZfAJ9LBIcIDu+w6WCOxCZTsrnKeYReiwCg1xXo Y0s7aBNl/VFiNCewyoYuldw= =GQaY -----END PGP SIGNATURE-----
