On Feb 9, 2012, at 6:54 PM, Bob Hoffman wrote:
entire ip block went out.
when I called datacenter they told me the router was under attack and I was like 'uh oh' and told them to just shut off my computer I would be there to fix it. They did not believe me. An hour later I was there and deleted the eth1 point to the br0 and all was fine. Meanwhile they were all around the router trying to stop the attack. (it was just the router for me and others in that room....oops)
I wonder if they will boot me from the center now? How is it possible that it did that so quickly? Such an easy way to bring down routers, wow, a hacker could have a field day.
If you weren't running a spanning-tree on your Linux bridge, and their switch ports aren't sending you BPDU's for STP, then you found out what happens when you activate a bridging (from the point of view of the switch, not the Linux bridging) loop. Been there, done that. Most monitoring tools are written to track layer-3 happenings, and this is happening at layer 2. And it will take down that whole layer 2 broadcast domain, that's for sure.
And since many, if not most, tools are working at layer 3 and dealing with IP flows and not actual ethernet traffic, none of the typical layer 3 tools will give any indication why the network just bogged down to a halt; you just about have to have a network probe (like wireshark) on a SPAN port to catch it, unless you know some of the telltale signs. On a gigabit switch a fully saturating bridge loop can form in less than a second, and bring things close to a halt.
Most datacenter switches have configurable parameters to guard against loops (Cisco even has a feature called, appropriately enough, loopguard, but this may or may not fix this case).