Yesterday around noon, the internet at my company started acting up. No matter, slowdowns happen and there’s roadwork going on outside: maybe they hit the fiber or something. So we waited.
Then our Samba servers started getting flaky. And the database too. Uh oh… That’s different.
We started investigating. Some machines were dropping ICMP packets like crazy, then recovered, then other machines started to become unpingable too. I fired up Wireshark and discovered an absolute flood of IGMP packets on all the trunks, mostly broadcast from Windows machine. It was so bad two Linux machines on the same switch couldn’t ping each other reliably if the switch was connected to the intranet.
So we suspected a DDOS attack initiated from within the intranet by an outside attacker. We cut off the internet, but the storm of packets kept on coming. Physically disconnecting machines from the intranet one by one didn’t do a thing either.
Eventually, we started disconnecting each trunk one by one from the main router until we disconnected one and all the activity lights immediately stopped on all the ports. We reconnected it and the crazy traffic resumed.
So we went to that trunk’s subrouter and did the same thing. When we found the cable that stopped all the traffic, we followed it and finally found one lonely $10 ethernet switch with… a cable with both ends plugged into the switch. We disconnected the cable and everything instantly returned to normal.
One measly cable brought the entire company to a standstill for hours! Because half of the software we have to use are cloud crap or need to call their particular motherships to activate their licenses, many people couldn’t work anymore for no good technical reason at all while we investigated the networking issue.
Anyway, I thought switches had protections against that sort of loopback connection, and routers prevented circular routes. But there’s theory and there’s reality. Crazy!
Yea. This is what spanning tree and bpduguard is for. Don’t disable them on your edge.
Lol imagine the poor dude in his office who was just bored and thought “what if I plug this cable back into the hub, probably won’t do anything”
Actually this happened in the lab. I know exactly who did this because he told me: we were discussing what had happened and he said “Oh yeah, Daniel and I needed to connect this Windows machine to the intranet quick because we had something urgent to do, and we connected all the ends of the nest of ethernet cables at random until the machine connected. And then we left everything as it was.” But bad luck for us, their machine was connected, but so was that fatal cable on both ends. It just happened that their machine kept working well enough for them to finish what they were doing without noticing the problems rightaway.
And in case you wonder, there’s no penalty in our company for owning up to honest mistakes, so that’s why he readily admitted to it. Only people who never do anything never do anything wrong.
I do hope you taught him the many better ways of doing this. I absolutely agree with making an environment where mistakes are easily owned up to (I made a mistake that ended up costing my employer over $10k in the last year), but if it isn’t coupled with turning those into learning experiences (here’s why you don’t do that, here’s why this is a better solution) then you just have a lot of mistakes happening over and over again.
This got me too once. I was in the server room replacing old 110 punch panels/blocks with 8P8C connections. I lost track of cable connections, a mistake I have learned from, and I looped a patch cable into the same switch. Within moments the entire network went down.
Forty-five minutes later and we figured out the loop.
Another lesson learned: HP Procurve switches did not have Spanning Tree enabled by default.
Anyway, mistakes happen, especially in IT. It’s all part of the learning experience. My boss was the coolest, chillest guy in the world so I learned and moved on.
I really hope you meant “switch” when saying “hub”. I haven’t seen a hub used in decades. Also your switch should have some level of STP protection enabled to prevent that. Even if someone had a hub with a routing loop, STP would have disabled the ports.
Basic unmanaged switches often don’t have any sort of protection, and on some fancier managed switches it’s disabled by default (no idea why)
no idea why
Because it makes initial connection much slower. Dumb switch - you insert a cable and it works. STP-enabled switch: you insert a cable and it takes a while until the port is enabled (unless you do extra configuration, appropriate for your network topology). This is annoying and for inexperienced users it could seem like the switch ‘does not work’. It is easier to sell a switch without such a feature enabled by default.
But there’s theory and there’s reality.
Mood. I can’t count the times I’ve found issues that shouldn’t be possible, but are clearly happening.
We used to use Malwarebytes Corporate Edition at work.
One afternoon all of our web servers stopped responding to traffic on port 443. I could RDC into the servers, and I could ping them, but most traffic wasn’t being passed properly.
Despite not having made any changes, I did everything I could think of to get them to work. I tried moving them to different switches, different static IPs, Wireshark showed packets flowing, but no web traffic.
I left the office. It was around 8 PM and I had been banging my head on my desk trying to figure out what the hell was going on.
I came back around 10 PM, mind clear and stomach topped off. I worked a few more minutes, then heard the Outlook ding.
Mass email from Malwarebytes CEO. Bad update. Blocked all class B IP addresses by mistake (guess which class we used). Mea culpa. So sorry. New update fixes things.
I immediately uninstalled MWB CE and boom. Services restored.
The next week we got our licenses refunded by our VAR and we never used that product again.
