LOR Staff Posted January 31, 2014 Share Posted January 31, 2014 Well, sort of non-LOR. For some reason, something in my lab has decided to go on a 'network flood'. I've captured a bunch of packets, and the flood appears to be a bunch of 'MAC Flow Control' Pause Sending frames, with a quanta of 0 (unpause). It appears that the packets are either originating or terminating with a single computer on the network. I can tell because I see the light on the switch just flashing its little head off for that particular computer. I've used the Microsoft Network Monitor to capture a bunch of frames. I've attached 11 of them here. Can anyone give me a clue as to what the heck is happening? I know enough about networking to be dangerous, and I know next to nothing this close to the metal (frames).fb.zip Link to comment Share on other sites More sharing options...
Bizywk Posted January 31, 2014 Share Posted January 31, 2014 PM Sent Link to comment Share on other sites More sharing options...
wbaker4 Posted January 31, 2014 Share Posted January 31, 2014 Could be a Denial Of Service Attack Link to comment Share on other sites More sharing options...
LOR Staff Posted January 31, 2014 Author Share Posted January 31, 2014 So I poked around some more... It's a single computer that is doing it, the one I posted the capture from. I have a big network (well relatively), but nothing complicated. Just 4 switches and a router (for the outside world). Everything inside runs on a single subnet on those. All the switches sit directly off the router but 1 (which is cascaded from an upstream switch). All of them are dumb, non-managed. I'm pretty sure it's that this NIC doesn't like this particular switch. It's a GB NIC, and when I connect it to this particular GB Switch is when I get the flood. If I hook it up to the other GB switch, or one of the other 100MB switches, it's fine. In fact, right now I have the computer running on the other GB switch which is cascaded to the GB switch it has a problem with, which is cascaded up to the router. No flood. Swapping cables does not effect anything. FiOS->GB Switch 1->Problem Computer - FLOOD!FiOS->GB Switch 1->GB Switch 2->Problem Computer -- all OKFiOS->100MB POE->Problem Computer -- all OKFiOS->100MB WAP Switch->Problem Computer -- all OK The 2 just don't seem to like each other. Link to comment Share on other sites More sharing options...
Max-Paul Posted January 31, 2014 Share Posted January 31, 2014 (edited) Ok, I missed that moving the computer over to the other GB switch cleared the problem. So, I am editing out my useless comment. Edited January 31, 2014 by Max-Paul Link to comment Share on other sites More sharing options...
kiplorenzo Posted February 1, 2014 Share Posted February 1, 2014 In the tech world I work in, any computer that is causing ANY bandwidth issue should be taken off the network, Run a malware bytes scan as well as 2 different antivirus.Also check the driver for the card on the flooding computer. there is the possibility of the 2 hardwares not talking nicely, but that chance is rare. Just my 2cents. Link to comment Share on other sites More sharing options...
-klb- Posted February 1, 2014 Share Posted February 1, 2014 I'm not aware of any reason that malware would mess with spanning tree. There really is nothing to be gained unless you are trying a denial of service attack. And this was way too clumsy to be an effective large scale denial of service attack. Plus, what malware behaves differently depending on the switch it is plugged into? Link to comment Share on other sites More sharing options...
LOR Staff Posted February 1, 2014 Author Share Posted February 1, 2014 I'm not aware of any reason that malware would mess with spanning tree. There really is nothing to be gained unless you are trying a denial of service attack. And this was way too clumsy to be an effective large scale denial of service attack. Plus, what malware behaves differently depending on the switch it is plugged into? Exactly. It's just going to be one of those 'what the HECK??!!' kind of things. I would blame the switch, but everything else connected to it works fine. I'd blame the NIC, but it works connected to a different switch. I've looked at a large number of frames, and I don't see anything unusual -- just normal network chatter (announces, requests, etc and the occasional ping of Dropbox). The only weird thing is the back and forth 'HOLD IT!', 'NO OK GO!' these 2 like to smack each other with when hooked up to the D-Link switch. I have to look in my POOP (Pile Of Other Parts) to see if I have a different GB NIC I can try. Link to comment Share on other sites More sharing options...
a31ford Posted February 2, 2014 Share Posted February 2, 2014 (edited) What about (I'm doing process of elimination diag here) another computer at that cable, at that port, on that switch ? (EVERYTHING the same into that port on that switch except, a different computer). (easier to try than switching network cards) I have in my junk (POOP, LOL love it) pile 3 smaller dumb switches, that have one bad port each. guess what they do..... packet storm the network, when THAT port is utilized..... IF it still does it..( that port) then try a different cable, IF there is in wall wiring, then ALSO try bypass it with a long cable, OR moving the suspect computer to the switch for a test) I have seen the following.... brown and green pair reversed (will still do 100/full on blue and orange pair being correct), BUT, will chatter, HOWEVER, the brown set is used for a strange HARDWARE handshake on some inexpensive switches (older linksys and D-link are common ones). Something about (Their) exclusive "speed" ability when using ALL the parts in the network chain (switch , card, & router being faster than other mfg's). Older 3-Com stuff was like this also, if you used 3C switch and 3C network cards, somehow they (as a set) would out preform others in data speed tests. switch the brown/ green pair somewhere between and POOF !! data storm @!@ Just trying to help. Greg Edited February 2, 2014 by a31ford Link to comment Share on other sites More sharing options...
Ken Benedict Posted February 3, 2014 Share Posted February 3, 2014 (edited) I had a problem with some of the Adobe products creating a file server out of my computer; seems in order to get quick download times, they store software on YOUR computer and access it with their file management software (download manager) and you become a personalized file server for Adobe. See Akamai Download Manager: http://helpx.adobe.com/x-productkb/policy-pricing/akamai-download-manager-faq.html and: http://www.shouldiremoveit.com/adobe-download-manager-6550-program.aspx The sales brochure: http://www.akamai.com/dl/brochures/Product_Brief_Sola_DLM.pdf Akamai has their own servers, but also uses your computer to help deliver software to their customers: http://www.akamai.com/html/technology/index.html I saw a lot of internet traffic going to places unknown to me and after uninstalling it, network traffic went back to normal. From Wikipedia: "However, this software operates not merely as a download manager (delivering content from the Internet to the user's computer) but also as a peer-to-peer server, delivering content cached on the user's computer to other users' computers" Just offering a suggestion. Edited February 3, 2014 by Ken Benedict Link to comment Share on other sites More sharing options...
-klb- Posted February 3, 2014 Share Posted February 3, 2014 For anyone suggesting that this is malware, or even BitTorrent style traffic, go download the sample, and examine it. It isn't even network layer traffic. There are no IP addresses. It is all Data Link layer traffic. The source address is the MAC address for broadcast, and the destination is the MAC address for spanning tree. Either something about this NIC or driver is really throwing the switch firmware for a loop, or something about the switch is throwing the NIC firmware or driver for a loop. Nothing more. Where I work, I am obligated to report things that look like security events to a couple of other teams. The attached packet capture wouldn't even catch anyone's attention except to update drivers and/ or firmware until it went away, or change where things plugged in, as above. If it persisted, the vendors would be engaged, just to figure out how to solve it before we saw more of it elsewhere. Link to comment Share on other sites More sharing options...
MikeERWNC Posted February 3, 2014 Share Posted February 3, 2014 Check to see that NIC and switch port are set to auto.Sometimes there are issues when one is set to auto and the other is set at a speed/duplex.You can also check the logs on the switch to see if there are any CRC errors. Link to comment Share on other sites More sharing options...
Recommended Posts