On Feb 9, 2012, at 6:54 PM, Bob Hoffman wrote:
entire ip block went out.
when I called datacenter they told me the router was under attack
and I
was like 'uh oh' and told them to just shut off my computer I would be
there to fix it. They did not believe me.
An hour later I was there and deleted the eth1 point to the br0 and
all
was fine.
Meanwhile they were all around the router trying to stop the attack.
(it was just the router for me and others in that room....oops)
I wonder if they will boot me from the center now?
How is it possible that it did that so quickly?
Such an easy way to bring down routers, wow, a hacker could have a
field
day.
If you weren't running a spanning-tree on your Linux bridge, and their
switch ports aren't sending you BPDU's for STP, then you found out
what happens when you activate a bridging (from the point of view of
the switch, not the Linux bridging) loop. Been there, done that.
Most monitoring tools are written to track layer-3 happenings, and
this is happening at layer 2. And it will take down that whole layer
2 broadcast domain, that's for sure.
And since many, if not most, tools are working at layer 3 and dealing
with IP flows and not actual ethernet traffic, none of the typical
layer 3 tools will give any indication why the network just bogged
down to a halt; you just about have to have a network probe (like
wireshark) on a SPAN port to catch it, unless you know some of the
telltale signs. On a gigabit switch a fully saturating bridge loop
can form in less than a second, and bring things close to a halt.
Most datacenter switches have configurable parameters to guard against
loops (Cisco even has a feature called, appropriately enough,
loopguard, but this may or may not fix this case).
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
