Ethernet Pause Flooding?

Unanswered Question
Oct 6th, 2008

Every couple of weeks our LAN grinds to a near-halt. Pings on the local segment time out every other attempt. When I traced things with Wireshark I see a steady flood of Spanning Tree for Bridges CTRL MAC Pauses hitting the wire.

There is one packet with a Quanta of 0, followed by another packet with a Quanta of 65535. These alternate back and forth eating up the network.

What's frustrating is that the MAC addresses for both sender and destination are the generic STP id of 01:80:C2:00:00:01. So I can't necessarily track it down to a rogue managed switch.

Would non-managed switches forward these Ethernet pauses to other devices? I'm having trouble isolating the root cause. Right now I'm checking some NIC settings on our servers and am going to turn Flow Control off on them. They are set to Generate and Respond right now. But I would think then the MAC address of the server would show up in my packet captures.

I have mostly hubs at this site, with three unmanaged switches of various makes (one Cisco, one 3Com, one SMC) but I don't see how they could be set for using STP and whatnot since they are dumbed down...

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
John Blakley Mon, 10/06/2008 - 11:52

I'm just throwing this out there. What type of switch do you have connected as your main switch? Is it L2 or L3? On the ports that the hubs and other switches are connected to, it's recommended that you have portfast disabled. Having portfast enabled makes the switchport bypass the listening and learning state, and immediately puts it in forwarding. This can cause spanning tree issues on the network.

I would get rid of the hubs and replace with switches if you could :-)

--John

gregarican2 Tue, 10/07/2008 - 05:01

Our Internet connection is bridged through a Cisco/Linksys SD208 to our demarc. One floor of the building connects through an SMC EZSwitch EZ108DT. Another floor connects through a 3Com Baseline 2024 3C16471. There are hubs on each floor as well that chain to/from the switches.

I'm not sure about the specs if these switches are Layer 2 or 3. What is puzzling is that these are unmanaged hubs and I cannot connect to them to provision them. So I can't enable/disable portfast. They are "out of the box."

The fact that the source and destination MAC are both the generic STP id (01:80:C2:00:00:01) makes it really odd. Could this be some sort of malicious DDOS attack?

I have disabled Flow Control on conspicious servers (like our ISA 2004 box, and a few notable file servers). Not sure if this will have an effect on things or not.

One thing I did notice. Connected to our Internet switch I have a Cisco/Linksys WRT54G wireless router. This is just for Internet access when guest visit our facility. The only way these guest could connect to our internal network would be connecting in through our ISA 20045 box, which is the only other host plugged into the Internet switch. The ISA 2004 box is dual-homed with an internal and an external NIC.

Could it be possible that remote DDOS intrusions could be coming in through this route? I did see that remote management was enabled on the WRT54G. And I know there are exploits of the remote management facility published. I have since disabled this feature and gave the device a different static IP other than the default.

Just grasping at straws apparently :-/

gregarican2 Tue, 10/07/2008 - 05:14

I checked the specs of these switches and they appear to be just the L2 type. They provide store-and-forward packet switcing, 802.3x full/half duplex flow control, etc. They aren't so sophisticated as supporting STP, VLAN, etc.

If it's not a malicious DDOS attack coming in periodically I can only imagine a bad NIC or switch. But wouldn't there be a real MAC address stuck in there if it was a bad NIC? I guess a bad unmanaged switch wouldn't have a MAC to through in there if it was the culprit...

Actions

This Discussion