For all the Network Techs out there. I have a Interesting one, on reddit there was a post about a L2 switch killing the port when ArtNet was sent over it. Using my Network experience, I pulled the devices manual, a the Device in question is a GSD-1002M L2/L4 switch. I wrote up how I would configure it. Long story short it was the DOS protection on this switch. I dug in deeper, made this nice RCA for this issue,
I used Wireshark and checked some of the default settings in the GSD-1002M Manual
The Highlighted data of the Source and Destination ports. are the same!
From the Switch’s manual. Here is the default for the DOS settings
The highlighted settings are the items of interest the UDP and TCP BLAT settings.
What is a Blat Attack – These switch result from sending a specially crafted packet to a machine where the source host port is the same as the destination host port. The system attempts to reply to itself, resulting in system lockup.
This attack could be compared to setting up a mic IN FRONT of your Main PA 1″ Away from the speaker. Then Turning it on full blast.
Looking at RFC6056
Recommendations for Transport-Protocol Port Randomization
These attacks rely on the attacker’s ability to
guess or know the five-tuple (Protocol, Source Address, Destination
Address, Source Port, Destination Port) that identifies the transport
protocol instance to be attacked.
Says this needs to happen on the Source port. so the source port is random but the destination is set
Looking at RFC1948
Defending Against Sequence Number Attacks from May 1996
In summary “source port == destination port” is a bad practice.
This Bug has been fixed for a long time in the Linux Kernel networking subsystem to avoid this issue
The commit that fixed the port bug in the kernel back in 2007.
Following up at that Lets look at the man page for ip(7)
Looking at how to Get a Source socket, to open two way coms with a remote server, (or multicast group)
When connect(2) is called on an unbound socket, **the socket is automatically bound to a random free port or to a usable shared port with the local address set to INADDR_ANY.
So in closing,
source port == dest port. Is triggering the Blat DOS detection.
Now lets look at the Protocol spec.,
Looking at ArtNet’s spec Here
It states that the programmer must use, source port of 6454 to contact the destination listing port 6454 of the server.
That is Not conforming to Multiple RFCs and is using a bad practice.
Work around Disable BLAT protection.
Root Cause ArtNet protocol says to use the same source port(client) as the destination port (server). is causing the issue.