April 25, 2010

Ethernet Flow Control DOS in STP environment

A while back, I wrote a post on Ethernet Flow Control and IGMP snooping and how using TCP flow control on top of Ethernet Flow Control could easily alienate your network. If you are not familiar with Ethernet Flow Control, then I highly suggest, you go over my post in order to understand what I will be talking about here.

An understanding of the Spanning Tree Protocol is also highly required, which I won’t go in depth in this post.

Small Recap

Ethernet Flow Control makes use of PAUSE frames in order to notify an endpoint host to stop sending packet for an X amount of time; Depending on the bandwidth of the link, the PAUSE frames are sent at a specific interval of time.

100Mbps - each 300ms 1Gbps - each 30ms 10Gpbs - each 3ms

That is to say, sending more PAUSE frame than the appropriate set interval will considerably slow down the network and generate unexpected side effects.

Using PAUSE frame to have a new STP topology converged - DOS

- Target Designated ports

** **Because PAUSE Frame simply notify the host to stop sending frames; if we were to flood all the Designated ports of a root switch, we would immediately cut all transmission of root BPDU and user frame. This by consequence, will cause all root ports on the other switch to enter into a new STP convergence, since the root bridge has been completely cut off.

- Target Blocking ports

Remember, in the Blocking state, the port still receives BPDU without forwarding frames. Now let’s say we decide to flood all the segments connecting to the blocking ports. What do you think will happen? well, the blocked port no longer receives BPDU and after 20seconds starting transitioning to the listening state, a total of 50 seconds later, a new convergence has taken place, resulting in a redundant link becoming active and thus creating a switching loop/brodcast storm, which will degrade the network and bring it to its knees.

How to prevent an STP DOS

  1. Disable Ethernet Flow Control on a port if not needed

  2. Set a threesold for Pause Frames sent and received

  3. Monitor for STP topology state changes

  4. Monitor the traffic for high frequencies of TCN and TC BPDUs

Cheers,

Ali