Friday, June 24, 2011

Potential DoS attack on a Cisco Layer 2 Switch

I came across an Issue at my work where one of our customer's RF network was frequently going down. This RF network supports wireless handheld inventory management RF guns. The initial reason for the network down time was unknown but on careful examination through remote user assistance the cabling for the standard network setup was altered.

Usually, in small network installations, it is a best practice to connect an RF network to a Gigabyte or fast Ethernet port on a switch, on a 24 port switch it is a good practice to connect the RF network to the last switch ports, either 23X or 24X, not a coercion, but that's what I've
observed in many sites, that's because of a simple reason, they won’t get disturbed from a desperate cabling guy. Enabling port security on these Ethernet ports on a managed switch is a bad idea. It is highly recommended to use a dedicated firewall for the RF network, which we have in this case.

The issue that I’ve come across was found to be interesting, we have a standard cabling layout plan, some one for some reason altered the cabling, and the RF network line from the firewall (here, a Cisco 871 is used as a firewall with access-lists) is connected to a Cisco 2900 series (IOS 12.0) switch port where the port security was enabled and only one MAC was allowed to associate to it as a sticky, we did that for a cash register at the site, ideally that port(range of ports) are to be used only for cash registers, and in this case, the RF network Ethernet cable was connected, probably by mistake. This was the reason that caused the RF network to go down and when checked the switch logs we found port violation due to Cisco 871’s interface MAC address, right after clearing the MAC violation the switch hung up and was not reachable, we ended up in rebooting it, and once it came up we tried clearing the port security (as the previous configuration was not written/saved to the switch’s NVRAM) and it made the switch to freeze again. We had to disconnect the cable coming from Cisco 871 to the switch port, remove the port security from that port, reconnect the cable back, which made the RF network to function as intended.

Besides troubleshooting, which I enjoyed obviously, what interested me was an entire switch hanging up due to the storm of MAC addresses entering from an RF network in to the switch port. Well, good experience :)

No comments:

Post a Comment