Re: [Full-Disclosure] DHCP Flood on inside network. STP the problem?
From: Eddie (EddieS_at_softhome.net)
Date: 10/13/04
- Previous message: Derek Soeder: "[Full-Disclosure] EEYE: Windows VDM #UD Local Privilege Escalation"
- In reply to: Eddie : "[Full-Disclosure] DHCP Flood on inside network. HELP!!"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: "full-disclosure@lists.netsys.com" <full-disclosure@lists.netsys.com> Date: Tue, 12 Oct 2004 22:03:55 -0700
Let me say thanks to all those that have replied both on and off the list. All your suggestions are very helpful.
I was able to figure out what was going on when I noticed that instead of a DHCP packet like I was seeing before, tcpdump captured a netbios browser packet from
one of the computers, flooding the network. It looks like it is a Spanning Tree breaking down and playing hot potato. It's the same random packet swamping the
network just like when you loop two switches togather without STP turned on. Seems to like broadcast packets tho.
Nothing has changed in the switches in 3 months, so a switch could be one failing, a computer sending out weird packet screwing up STP, or a virus doing the
same.
I removed all the redundant links and that seems to have fixed or slowed down the problem, I still see "<WARN:EDP> Checksum failed for pdu on port 18" errors
and I see one report of a lost connection in Big Sister, so I am not sure.
I am turning off STP for now. This weekend I will mess around with it since nobody will be in. Maybe with a little unplugging and general troubleshooting will show
what it going on. I don't know much about STP.
I can't find any virus that messes with STP and I don't think any of the servers got rooted since no servers can be access from the outside and the firewall is closed
tight both in and out.
I think one of the Summit switches going out is the problem. Tracking down what one out of the 3 is going to be fun since I can cause the problem to happen.
Thank you again.
-Eddie
On Mon, 11 Oct 2004 22:00:07 -0700, Eddie wrote:
>I don't have much information on this yet, I am driving down to the office now to pull an all nighter. I figured I would toss this out to the list and see if anyone has any
>idea. This is just info from what I can get from talking to people and what little time I can get on the network before it goes down.
>
>Starting 2 days ago, I discovered the PIX 515 was locked hard. It seems to be random, but around every 15-30 minutes something floods the network hard for a
few
>minutes. Broadcast flood too. This is a small network with 30 workstations and 5 servers (Linux and SCO, no Wins). It overloads the Extreme switches and I see
pdu (or
>something like that, not udp tho) errors on about every port.
>The Pix 515 overloads and is having issues, but I did see it say something about ARP problems when I could get to the syslog for more info. I looked up the error
>number and it said it could be ARP poisoning. Not sure what would do that.
>
>In the syslog of the DHCP server, I see thousands of DHCP DISCOVER request(and the REPLAY request from the server, a Linux box). It looks like one client on
the
>network (I have seen this both from XP and Win98) will send 100+ DISCOVER request a second swamping the network. Not always DISCOVER too.
>That will go on for a few minutes, then all is well. Then another computer will do the same thing.
>
>This is quickly overloading things and I am getting IRQ busy and overload errors on some of the servers.
>
>What should I look for. I have never seen something like this before.
>
>Thanks
>-Eddie
>
>
>
>
>_______________________________________________
>Full-Disclosure - We believe in it.
>Charter: http://lists.netsys.com/full-disclosure-charter.html
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
- Previous message: Derek Soeder: "[Full-Disclosure] EEYE: Windows VDM #UD Local Privilege Escalation"
- In reply to: Eddie : "[Full-Disclosure] DHCP Flood on inside network. HELP!!"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
