[Sidewinder] How to melt your internal network
Sidewinder moderated discussion list
sidewinder at adeptech.com
Mon Nov 5 03:34:25 EST 2007
"And I thought, I would only ever *read* about broadcast storms ..."
How to bring your network to its knees in five simple steps.
------------------------------------------------------------
Parents: this man is a trained professional. Don't let your
children try this at home without qualified adult supervision.
Ingredients:
1 Sidewinder 7 Firewall (the culprit)
1 DHCP server
1 Layer 2 infrastructure aka switch
N PCs and servers (the victims)
1 Apple Macbook Pro running Mac OS X [1]
(the one to take the blame - first)
1. Configure your Sidewinder firewall for intra-burb packet forwarding
on the internal burb. Probably because it's the default gateway to most
other systems and you have a bunch of additional routers.
2. Configure your Sidewinder firewall to have at least two IP distinct
IP addresses on the internal interface. This is easily achieved by
making it the active node of a HA cluster.
3. Bring in a brand new Macbook Pro, because your technical director is
an incorrigible Unix geek and would rather run Windows in some VM if
at all. Let the Mac get an IP address etc. matching your internal
network via DHCP and enjoy working for a while.
4. Tell the Mac to say "Hi!"
Mac: "Bonjour, Mesdames et Messieurs!" [2]
Sidewinder: *burp* [3]
PCs: *argh* [4]
5. Relaxen and watchen das blinkenlichten. That is, the network utilization
display on your switch reaching unknown heights.
[1] A Mac is not strictly necessary. It only happens to be the only
remotely "mainstream" OS that by default uses "Bonjour".
You can download and install Bonjour for Windows.
[2] Bonjour is Apple's marketing term for the Zeroconf standard, using
multicast DNS for local service discovery. The idea is to send
a query to the "all hosts" address. Every device, that thinks
it is capable of delivering the requested service, answers.
In my case I simply wanted to set up a printer.
[3] Looks like the Sidewinder upon receiving the packet directed to
"all hosts" decided to take that as two copies - to each "host"
or IP address on the internal IF.
OTOH it did not recognize the packets as being directed to itself
and decided to forward them back into the internal network.
This resulted in two packets being sent to the wire which resulted
in four packets received by the firewall. Aaah, exponential growth ...
[4] I got a call on my mobile a couple of minutes after I left the office
(great timing). My coworker asked if I had any explanation why on
some PCs CPU utilization skyrocketed while connected to the network
rendering the machines unusable. He had used tcpdump on the console
of our internal FreeBSD server, to discover that the network was
flooded with packets to the all hosts multicast address and a source
address matching to "Bruichladdich" - which happens to be the hostname
of my new Mac. Unplugging the Mac the traffic did not (!) end this.
Digging deeper, a little later we found that while the
source IP address matched my Mac, the source Ethernet address
matched our Sidewinder firewall.
Rebooting the active node of our HA cluster let us enjoy peace
and quiet again.
I'm not going to browse the network for printers in the next
couple of days, but I'm keeping my fingers crossed.
Secure Computing: please fix.
Kind regards,
Patrick M. Hausen
Leiter Netzwerke und Sicherheit
--
punkt.de GmbH * Vorholzstr. 25 * 76137 Karlsruhe
Tel. 0721 9109 0 * Fax 0721 9109 100
info at punkt.de http://www.punkt.de
Gf: Jürgen Egeling AG Mannheim 108285
More information about the Sidewinder
mailing list