Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Availability Attacks Without an Adversary: Evidence from Enterprise LANs

Rajendra Paudyal, Rajendra Upadhyay, Al Nahian Bin Emran, Lisa Donnan, Duminda Wijesekera

TL;DR

The paper investigates how routine, benign insider actions at the access layer can cause availability outages in enterprise LANs by triggering Rapid Spanning Tree Protocol (RSTP) control-plane recalculations. It presents an empirical study across production sites, showing docking/undocking events lead to 2–4 second disruptions in real-time services such as VoIP and video, and formalizes this as an unintentional insider-driven denial-of-service within NIST and MITRE frameworks. The root cause is the interaction between docking-induced topology changes and RSTP convergence, including MAC-address-table flushing, modeled with $T_{conv} = t_{detect} + t_{prop} + t_{sync}$ and $P_{loss} \propto \int_{t_{0}}^{t_{0}+t_{sync}} \lambda_{rt} \, dt$. The paper offers a practical mitigation by explicitly configuring edge ports with PortFast to exclude end-host docking from spanning-tree calculations, preserving loop prevention and highlighting the need to treat Layer-2 configurations as security-relevant. Overall, the work reveals a previously underrecognized class of insider-threats driven by legitimate user behavior and calls for integrating control-plane hardening into risk models and security baselines to protect availability in real-world networks.

Abstract

Denial-of-Service (DoS) conditions in enterprise networks are commonly attributed to malicious actors. However, availability can also be compromised by benign non-malicious insider behavior. This paper presents an empirical study of a production enterprise LAN that demonstrates how routine docking and undocking of user endpoints repeatedly trigger rapid recalculations of the control plane of the Rapid Spanning Tree Protocol (RSTP) [1]. Although protocol-compliant and nonmalicious, these events introduce transient forwarding disruptions of approximately 2-4 seconds duration that degrade realtime streaming (voice and video) services while remaining largely undetected by conventional security monitoring. We map this phenomenon to the NIST and MITRE insider threat frameworks, characterizing it as an unintentional insider-driven availability breach, and demonstrate that explicit edge-port configuration effectively mitigates the condition without compromising loop prevention

Availability Attacks Without an Adversary: Evidence from Enterprise LANs

TL;DR

The paper investigates how routine, benign insider actions at the access layer can cause availability outages in enterprise LANs by triggering Rapid Spanning Tree Protocol (RSTP) control-plane recalculations. It presents an empirical study across production sites, showing docking/undocking events lead to 2–4 second disruptions in real-time services such as VoIP and video, and formalizes this as an unintentional insider-driven denial-of-service within NIST and MITRE frameworks. The root cause is the interaction between docking-induced topology changes and RSTP convergence, including MAC-address-table flushing, modeled with and . The paper offers a practical mitigation by explicitly configuring edge ports with PortFast to exclude end-host docking from spanning-tree calculations, preserving loop prevention and highlighting the need to treat Layer-2 configurations as security-relevant. Overall, the work reveals a previously underrecognized class of insider-threats driven by legitimate user behavior and calls for integrating control-plane hardening into risk models and security baselines to protect availability in real-world networks.

Abstract

Denial-of-Service (DoS) conditions in enterprise networks are commonly attributed to malicious actors. However, availability can also be compromised by benign non-malicious insider behavior. This paper presents an empirical study of a production enterprise LAN that demonstrates how routine docking and undocking of user endpoints repeatedly trigger rapid recalculations of the control plane of the Rapid Spanning Tree Protocol (RSTP) [1]. Although protocol-compliant and nonmalicious, these events introduce transient forwarding disruptions of approximately 2-4 seconds duration that degrade realtime streaming (voice and video) services while remaining largely undetected by conventional security monitoring. We map this phenomenon to the NIST and MITRE insider threat frameworks, characterizing it as an unintentional insider-driven availability breach, and demonstrate that explicit edge-port configuration effectively mitigates the condition without compromising loop prevention
Paper Structure (17 sections, 2 equations, 3 figures, 1 table)

This paper contains 17 sections, 2 equations, 3 figures, 1 table.

Table of Contents

  1. Introduction
  2. Motivation
  3. Contribution
  4. Background and Related Work
  5. Insider Threats and Accidental Insiders
  6. Availability and Denial-of-Service as Security Incidents
  7. Layer-2 Control-Plane Protocols and Stability
  8. Sensitivity of Real Time Applications to Network Disruptions
  9. System Model and Network Architecture
  10. Threat Model and Insider Threat Mapping
  11. Measurement methodology
  12. Experimental Results
  13. Root Cause Analysis
  14. Security Implications and Mitigations
  15. Mitigation Strategy
  16. ...and 2 more sections

Figures (3)

  • Figure 1: Enterprise access-layer topology.
  • Figure 2: RSTP/port-state changes log. For privacy reasons, we excluded information like IP, switch name, and location metadata from the snap.
  • Figure 3: Switch log status after changing the access edge port to PortFast mode.