HPE Community
Switches, Hubs, and Modems
1752805 Members
5746 Online
108789 Solutions
New Discussion юеВ

Re: HP Procurve 5308xl hangs in case of teardrop attack

 
Massimo Vignone
Occasional Advisor

тАО08-26-2003 10:51 PM

тАО08-26-2003 10:51 PM

HP Procurve 5308xl hangs in case of teardrop attack

Hello everybody,

I've several hp 5308xl, all of them configured with ospf routing, no ip directed broadcast (for smurfing attacks) and broadcast limit activated.

This helped me a lot to avoid DoS attacks on my net. Unfortunately, I can't avoid teardrop attack, caused by some viruses.

An infected computer flooded the net with ip fragments: the 5308xl switch hangs, showing a cpu load of 7000 percent.

Any suggestion to avoid this ?

TIA,

Massimo
0 Kudos
10 REPLIES 10
Johan Eriksson
Advisor

тАО08-27-2003 01:23 AM

тАО08-27-2003 01:23 AM

Re: HP Procurve 5308xl hangs in case of teardrop attack

Hi, im interested in what kind of IP fragments it was. Can it have been IGMP joins or was it just alot of rubbish from different computers?

I'm trying to find a way to manage DOS countermeasures in HP switches. Its a shame they dont have the same functions for DOs attacks as Extreme or Cisco has.

Regards,

Johan Eriksson
Johan
0 Kudos
Massimo Vignone
Occasional Advisor

тАО08-27-2003 03:19 AM

тАО08-27-2003 03:19 AM

Re: HP Procurve 5308xl hangs in case of teardrop attack

I don know what kind of fragments the computer send on the net.

It could be IGMP, but I think that the broadcast-limit statement in the 5308xl configuration shoould block them.

The strange thing is that a single machine (this is my case) can hang a switch with a large backplane as the 53xx.

That makes me think that are some bug in the TCP/IP stack of the 53xx, and if the routing is enabled, sending an ip fragments flood with bad offset values can hang the switch. I think that the switch tries to reassembly the packets, with high cpu load values.

Using a keyword 'fragments' in the access-list statement (as in IOS) could help: unfortunately, this keyword does not exist in the Procurve 53xx.

Massimo
0 Kudos
Markku Leinio
Valued Contributor

тАО08-27-2003 10:56 AM

тАО08-27-2003 10:56 AM

Re: HP Procurve 5308xl hangs in case of teardrop attack

As a side question, are there any specifications about the "broadcast-limit" command, how will it change the behaviour of the switch?

Procurve 2524 has some configurable threshold for broadcast limiting, 5300XL does not seem to have any options for that.
0 Kudos
Massimo Vignone
Occasional Advisor

тАО08-27-2003 10:41 PM

тАО08-27-2003 10:41 PM

Re: HP Procurve 5308xl hangs in case of teardrop attack

If you sue Procurve 2524 or 2650 you need to specify the bandwidth percentage allowed for broadcast/multicast traffic.

With Procurve 53xx you don't need to specify it, because the switch adapt the allowed bandwidth automatically.

Massimo
0 Kudos
Johan Eriksson
Advisor

тАО08-28-2003 04:50 AM

тАО08-28-2003 04:50 AM

Re: HP Procurve 5308xl hangs in case of teardrop attack

Broadcast control is only monitoring broadcast and acts as a proxy for these packets. It does not affect multicast traffic.

Back to the first message: What you are saying is that if ONE computer with 100mbps uplink sends bad packets to the 530x switch it hangs? Is this correct? Have you reported this to the HP support?

Johan Eriksson
Johan
0 Kudos
Massimo Vignone
Occasional Advisor

тАО08-28-2003 05:27 AM

тАО08-28-2003 05:27 AM

Re: HP Procurve 5308xl hangs in case of teardrop attack

Quoting from the 5300xl series manual:

"Broadcast limit - Reduces the bandwidth for broadcast and _multicast_ traffic on all ports on the switch. Any broadcast or multicast overload will be dropped. This feature is not appropriate for networks that require high levels of IPX or RIP broadcast traffic".

So, if you use the broadcast-limit statement, the switch should limit broadcast/multicast bandwidth.

Back to my problem: YES, if there is an ip fragments flood (with overlap offset) the switch hangs.

I reported the problem to HP today.

Maybe that Procurve 5300xl series is not rfc 1858 compliant?

Massimo
0 Kudos
Markku Leinio
Valued Contributor

тАО08-28-2003 05:42 AM

тАО08-28-2003 05:42 AM

Re: HP Procurve 5308xl hangs in case of teardrop attack

Which manual are you referring to? My "management and configuration guide" (Software Release E.07.2x or Greater, part number 5990-3016) only says:

"Configuring a Broadcast Limiting on the Switch. Executing this command
configures broadcast limiting for all ports on the switch.
Syntax: broadcast-limit"

(and that the current setting can be seen from "show run" output)

Great that you bring up any issues with 5300XL. There are so few user comments in the net about that device.
0 Kudos
Massimo Vignone
Occasional Advisor

тАО08-28-2003 05:55 AM

тАО08-28-2003 05:55 AM

Re: HP Procurve 5308xl hangs in case of teardrop attack

I'm referring to "HP ProCurve Series 5300XL Switches Management and Configuration Guide (Edition 7, April 2003)", available on the net on the HP site in Pdf format.

The quoted paragraph is in chapter 9, 9-4; see also 9-11.

Massimo
0 Kudos
Markku Leinio
Valued Contributor

тАО08-28-2003 10:53 AM

тАО08-28-2003 10:53 AM

Re: HP Procurve 5308xl hangs in case of teardrop attack

Thanks for the exact pointer. The keywords "broadcast" and "limit" are in the beginning of separate lines, that's why my search didn't catch it.
0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.