Availability Attacks Without an Adversary: Evidence from Enterprise LANs

TL;DR

This study reveals that routine, benign insider actions in enterprise LANs can unintentionally cause availability disruptions by triggering protocol recalculations, impacting real-time services without detection, and can be mitigated through specific configurations.

Contribution

It provides empirical evidence of non-malicious insider actions causing network disruptions and proposes effective mitigation strategies within enterprise LANs.

Findings

Routine docking/undocking triggers RSTP recalculations

Disruptions last 2-4 seconds, affecting real-time services

Edge-port configuration mitigates disruptions

Abstract

Denial-of-Service (DoS) conditions in enterprise networks are commonly attributed to malicious actors. However, availability can also be compromised by benign non-malicious insider behavior. This paper presents an empirical study of a production enterprise LAN that demonstrates how routine docking and undocking of user endpoints repeatedly trigger rapid recalculations of the control plane of the Rapid Spanning Tree Protocol (RSTP) [1]. Although protocol-compliant and nonmalicious, these events introduce transient forwarding disruptions of approximately 2-4 seconds duration that degrade realtime streaming (voice and video) services while remaining largely undetected by conventional security monitoring. We map this phenomenon to the NIST and MITRE insider threat frameworks, characterizing it as an unintentional insider-driven availability breach, and demonstrate that explicit edge-port configuration effectively mitigates the condition without compromising loop prevention