impossible circuit

Justin Shore justin at justinshore.com
Mon Aug 11 20:17:18 UTC 2008


Laurence F. Sheldon, Jr. wrote:
> George Carey wrote:
 >
> I have not pencil-and-papered this to see if there is anything to it, 
> but I was wondering what would happened if you put a layer-two bridge 
> into a back-bone fabric and turned off "learning" so every packet is 
> flooded to every port.

Though not the same circumstances on having the same symptoms as the 
OP's problem, I saw this happen once at a University I used to work for. 
  A system's administrator insisted on having a hub between the SP's 
router and our core campus switch so he could sniff traffic.  Since the 
hub was there and I couldn't eliminate it I went ahead and used it 
myself for my own traffic capture point in the network with an OS X box 
running EtherPeek.  I did an OS update on the box one morning and went 
to a meeting.  During the meeting it was reported that the network was 
down.  I started looking into the problem at that point.  All Internet 
traffic was dead except SSH connections.  So I started sniffing on my 
NOC server for that server's traffic.  All my outbound TCP connections 
from the NOC were getting a RST from one L2 host and a SYN-ACK from 
another.  The MAC address sending the RST looked familiar but I couldn't 
identify it.  After searching through the network for the MAC I found it 
on the interface facing our border router and that damn hub.  The MAC 
was my OS X sniffing box.  The other MAC was the backside of the 
provider's router.

The OS X update I applied was the one that installed a host-based 
firewall.  The update automatically turned on the FW and permitted all 
local servers that were configured to run, in my case SSH, with 
everything else being denied.  The FW on the OS X box normally wouldn't 
see packets not destined for it until you put a nic in promisc mode such 
as what happens when you run EtherPeek.  The OS X box's FW was getting 
hits from traffic denied by it's ACL and was sending TCP RSTs faster 
than hosts on the 'Net could respond.  It did this for everything except 
SSH which it permitted (but higher up the IP stack it ignored because 
the IP packet was address to the local box).

This isn't in any way related to the problem at hand but it does 
demonstrate that weird things happen when devices in unusual places 
flood out all ports.

Justin




More information about the NANOG mailing list